XMLHttpRequest Same Domain Stupidity
XMLHttpRequest, there's an annoying restriction saying that you may only request data from the original domain the page came from.
This causes problems when you need to, for whatever reason, access data from another domain. With web mashups becoming more and more common, this is becoming a large problem.
Simple examples of the concept would be embedding a live-updating Facebook widget or a Flickr photo-stream widget. Both would require pulling data from their respective domains - and due to the "same domain" request restriction, couldn't do it through
Fortunately, this problem has been addressed, using something like JSONP.
Except that you still can't pull this using XMLHttpRequest. So instead, what you do is create a new script tag and set its
src attribute to this new URL.
Thereby pulling in the code from the third-party domain. And executing it directly.
Which is far less secure than being allowed to use
XMLHttpRequest to access third party domains could ever be. (Well, sort of...)
So, in order to work around a "security" feature, the idea is to purposefully open up a cross-site scripting hole.
A quick note on the "sort of" above: allowing
XMLHttpRequest to third-party domains opens up the potential to allow cross-site request forgeries. But this can be solved by limiting third-party domains to "GET" requests and assuming the people running the third-party domains aren't complete morons.