Here's the code. Do i need to "publish" Crm APIs to be accesible from HTML, is there any other way to dinamically populate a webtolead dropdown combo control? i've tried everything, please help.

<script type="text/javascript">

  var url = 'https://crm.zoho.com/crm/private/xml/Leads/getRecords?authtoken=805e8ff9b06bc706eaccb7d60738b11b&scope=crmapi&fromIndex=1&toIndex=25';

  var xhr = createCORSRequest("GET", url);

  if (!xhr) {

    alert('CORS not supported');

  }

  // Response handlers.

  xhr.onload = function() {

    var text = xhr.responseText;

    var title = getTitle(text);

    alert('Response from CORS request to ' + url + ': ' + title);

  };

  xhr.onerror = function() {

    alert('Woops, there was an error making the request.');

  };

       xhr.send();

    xml_str=xhr.response_XML;

    var x=xml_str.getElementsByTagName("First Name");

       var x=xml_str.getElementsByTagName("LEADID");

              var str='<select name=id>';

              for (i=0; i<x.length;i++){

str+='<option value='+y[i].childNodes[0].nodeValue + '>' + x[i].childNodes[0].nodeValue + '</option>';

    }

    str +='</select>';

    document.write("hola");

function createCORSRequest(method, url) {

  var xhr = new XMLHttpRequest();

  if ("withCredentials" in xhr) {

    // Check if the XMLHttpRequest object has a "withCredentials" property.

    // "withCredentials" only exists on XMLHTTPRequest2 objects.

    xhr.open(method, url, true);

  } else if (typeof XDomainRequest != "undefined") {

    // Otherwise, check if XDomainRequest.

    // XDomainRequest only exists in IE, and is IE's way of making CORS requests.

    xhr = new XDomainRequest();

    xhr.open(method, url);

  } else {

    // Otherwise, CORS is not supported by the browser.

    xhr = null;

  }

  return xhr;

}