Using XMLHttpRequest without CORS by modifying HTTP headers?

Question

I'm doing some tests with the (deprecated) Twitter API 1.0

For example, I want to get data from the API, client-side using AJAX browser requests from any cross-origin webpage. It can be a new blank tab, a local HTML page or any existing website.

I've tried JSONP, it works great but I would like to use the default XMLHttpRequest even if Twitter servers do not support CORS http://en.wikipedia.org/wiki/Cross-Origin_Resource_Sharing.

On google.com homepage for example, I create a simple AJAX call to Twitter API that I execute with Firebug:

var xhr = new XMLHttpRequest();
xhr.open("GET", "https://api.twitter.com/1/friends/ids.json?screen_name=baptx", false);
xhr.send();

This will not work and print an error on Firebug due to the same origin policy:

Error: Failure
xhr.send();

It returns an HTTP 200 OK code but no JSON data has been received from the server.

I've seen two differences between a request from a google.com webpage and the api.twitter webpage (who works for Twitter API requests since it's the API domain name, same origin).

An Origin HTTP header has been added with the current domain name:

Origin  https://www.google.com

The Referer HTTP header is not https://api.twitter.com/ like a request from api.twitter.com page but is in my case:

Referer https://www.google.com/webhp?hl=en

That's why I've tried to remove the Origin HTTP header and modify the current Referer HTTP header to https://api.twitter.com/

I've done this with the Firefox ModifyHeaders extension and it works, I can check in Firebug "Net" tab that those changes were made correctly.

Now, I have the SAME request header from a request coming from google.com webpage and api.twitter.com webpage. It will still fail to do an AJAX request from another domain than the API, even if the HTTP headers are overwritten, why?

By the way, do you know why an AJAX request to Twitter API from Firefox "New Tab" will work?

Answer 1

If web servers don't allow Cross-origin resource sharing, we have to manually add the HTTP response header Access-Control-Allow-Origin: *

I thought the problem was in request headers. There was no Firefox addon to modify HTTP response headers, only request headers are supported by ModifyHeaders or TamperData: Modifying HTTP response headers in Firefox

My question was in fact similar to this one: Can I disable SOP (Same Origin Policy) on any browser for development?

Solutions: Someone has developped a Firefox addon to force CORS: https://addons.mozilla.org/en-US/firefox/addon/forcecors/. Or we can use GM_xmlhttpRequest in a GreaseMonkey script, it will bypass the same origin policy of XMLHttpRequest. There is also a new addon called Header Editor which is open source and can edit both request and response headers: https://addons.mozilla.org/en-US/firefox/addon/header-editor/.

In Chrome, there is no addon to modify HTTP request/response headers like you want since the browser does not provides APIs, but there is a flag to disable SOP (--disable-web-security)