我做的（去precated）一些测试Twitter的API 1.0

I'm doing some tests with the (deprecated) Twitter API 1.0

例如，我想利用任何跨域的网页浏览器的AJAX请求从API，客户端数据。它可以是一个新的空白标签，本地HTML页面或任何现有的网站。

For example, I want to get data from the API, client-side using AJAX browser requests from any cross-origin webpage. It can be a new blank tab, a local HTML page or any existing website.

我试过JSONP，它的伟大工程，但我想用默认XMLHtt prequest即使Twitter的服务器不支持CORS的 http://en.wikipedia.org/wiki/Cross-Origin_Resource_Sharing 。

I've tried JSONP, it works great but I would like to use the default XMLHttpRequest even if Twitter servers do not support CORS http://en.wikipedia.org/wiki/Cross-Origin_Resource_Sharing.

在google.com的主页为例，我以为我与萤火虫执行一个简单的AJAX调用Twitter API的：

On google.com homepage for example, I create a simple AJAX call to Twitter API that I execute with Firebug:

var xhr = new XMLHttpRequest();
xhr.open("GET", "https://api.twitter.com/1/friends/ids.json?screen_name=baptx", false);
xhr.send();

这将无法正常工作，并打印在Firebug的一个错误是由于同源策略：

This will not work and print an error on Firebug due to the same origin policy:

Error: Failure
xhr.send();

它返回一个HTTP 200 OK code，但没有JSON数据已经从服务器接收到。

It returns an HTTP 200 OK code but no JSON data has been received from the server.

我见过从google.com网页的请求和api.twitter网页之间有两个区别（谁的作品Twitter的API请求，因为它的API域名，同根同源）。

I've seen two differences between a request from a google.com webpage and the api.twitter webpage (who works for Twitter API requests since it's the API domain name, same origin).

这是原产地的HTTP头中已经加入了当前域名：

An Origin HTTP header has been added with the current domain name:

Origin  https://www.google.com

引用者HTTP标头不 https://api.twitter.com/ 就像从API的请求.twitter.com页，但在我的情况：

The Referer HTTP header is not https://api.twitter.com/ like a request from api.twitter.com page but is in my case:

Referer https://www.google.com/webhp?hl=en

这就是为什么我试图删除的起源HTTP标头和修改当前的Referer HTTP头 https：//开头API .twitter.com /

That's why I've tried to remove the Origin HTTP header and modify the current Referer HTTP header to https://api.twitter.com/

我已经与Firefox的ModifyHeaders扩展做到了这一点，它的作品，我可以检查Firebug的网络选项卡中，这些更改是否正确。

I've done this with the Firefox ModifyHeaders extension and it works, I can check in Firebug "Net" tab that those changes were made correctly.

现在，我有一个请求来自google.com的网页和api.twitter.com网页来了同样的请求头。 它仍然无法从做比API另一个域中的AJAX请求，即使HTTP标头被覆盖了，为什么？

Now, I have the SAME request header from a request coming from google.com webpage and api.twitter.com webpage. It will still fail to do an AJAX request from another domain than the API, even if the HTTP headers are overwritten, why?

顺便说一句，你知道为什么一个AJAX请求从Firefox的新建选项卡Twitter的API将工作？

By the way, do you know why an AJAX request to Twitter API from Firefox "New Tab" will work?

推荐答案

如果web服务器不允许跨域资源共享，我们必须手动添加HTTP响应头访问控制 - 允许 - 产地：*

If web servers don't allow Cross-origin resource sharing, we have to manually add the HTTP response header Access-Control-Allow-Origin: *

我认为这个问题是在请求头。有没有Firefox的插件修改HTTP响应头，只请求头是由ModifyHeaders或TamperData支持： Modifying在Firefox HTTP响应头

I thought the problem was in request headers. There was no Firefox addon to modify HTTP response headers, only request headers are supported by ModifyHeaders or TamperData: Modifying HTTP response headers in Firefox

我的问题，其实是一个与此相似：Can我禁用SOP（同源策略），在任何浏览器的发展？

My question was in fact similar to this one: Can I disable SOP (Same Origin Policy) on any browser for development?

解决方案：有人developped一个Firefox插件强制CORS：的https：/ /addons.mozilla.org/en-US/firefox/addon/forcecors/ 。或者，我们可以使用GM_xmlhtt prequest在的GreaseMonkey脚本，它会绕过XMLHtt prequest同源策略。在Chrome中，没有任何插件像你想要的，因为浏览器不提供API来修改HTTP请求/响应头，但有一个标志，禁止SOP（ - 禁用网络安全性）

Solutions: Someone has developped a Firefox addon to force CORS: https://addons.mozilla.org/en-US/firefox/addon/forcecors/. Or we can use GM_xmlhttpRequest in a GreaseMonkey script, it will bypass the same origin policy of XMLHttpRequest. In Chrome, there is no addon to modify HTTP request/response headers like you want since the browser does not provides APIs, but there is a flag to disable SOP (--disable-web-security)