Wishful Coding

Didn't you ever wish your
computer understood you?

Cross-domain AJAX POST request -- Twitter client

One of the top items on my web-project-wish-list is a client-side Twitter client written in JavaScript, without resorting to a proxy.

The problem

The technology needed to write web applications is named AJAX, but for security reasons, AJAX has one important limitation! You can not make requests to another domain. Imagine what would happen if a malicious website would request your gmail inbox while you are logged in!


Because of this limitation, people started to look for other ways to make cross-domain request. Bring in JSONP! JSONP allows you to request data from another domain by inserting a script tag with a src attribute referring to the data location. This is used in the Twitter widget showed in my sidebar. JSONP has two limitations.
  1. You give the other domain scripting access to your site, opening a potential XSS vulnerability.
  2. You can only make a GET request.


Hidden iframes are another method to make asynchronous requests, but they to are limited to GET requests and are only accessible from the same domain. I have not yet found a solution for the access problem, but I can make POST requests.

The solution

  1. Make an iframe and set its display property to hidden.
  2. Load a page in the frame containing a form.
  3. Add hidden inputs to the form.
  4. Submit it!
Example: Click here to send a tweet to Twitter about this post!

iframe removed

The only remaining problem is that we can not access the return data, but as you can see, that is not needed in all cases.