How do Twitter make their API cross-domain accessible?

[Integralist]

Hi there,

I can understand how Twitter make their JSON feed available cross-domain as it returns JSON-P to call a function of the users choice.

But what about the RSS feed, how is it possible for developers to grab that feed data without any security implications?

Kind regards,

M.

[logic_earth]

The same way your browser downloads the HTML pages. With HTTP request.

[Integralist]

so when does cross-domain security become an issue?

I was of the understanding that if domain A made a request via JavaScript's XHR method for any resource under domain B then the browser would consider it a cross-domain request and thus a security threat?

[sk89q]

You can't access RSS feeds like you access JSON-P.

[Integralist]

Sorry, seems I was mistaken. I thought i had seen an example where a developer had used AJAX to request the RSS from Twitter but wasn't using a proxy (seems they were using a proxy to acheive this).

My next question is how can this be achieved without a proxy, or more specifically how can this be acheived with iFrames?

One hack most people attempt is setting

Code JavaScript:

document.domain

inside the document of the iFrame loading the external resource, but this won't work when loading an XML file into the iFrame as you can't run JavaScript within XML but also because on a site like Twitter which I have no access to I obviously can't set the document.domain because they just wont match.

I've heard that another solution is to create a sub domain and load that into the iFrame and then through DNS repoint the sub domain to the 3rd party site you wish to use, but surely that wouldn't work without the cooperation of the 3rd party site? I don't know enough about DNS settings so maybe someone can elaborate on this for me please and give an explanation/example on how to set-up the DNS of a subdomain to achieve this.

Thanks again for all your responses so far.

Kind regards,
M.