Peyman and I are planning a few posts on common techniques to get around cross-domain security limitations. Cross-domain scripting attacks were something that was first noticed sometime in 1997/1998 as browsers started to support more capabilities. Web-sites were typically doing authentication via cookies and other user state so mechanisms like XmlHttpRequest could be used by one web-app to impersonate the user to other web-services and steal data from them. Unfortunately this same mechanism is also very useful in building complex web-apps, mash-ups, and other such desirable things and the limitation has been a big frustration for a long time- here is a post from 1999 where I discussed some of the issues involved with Dave Winer.

One thing to keep in mind is that cross-domain data access isn’t always bad. Its only bad when the target web-service wasn’t designed with it in mind and can’t tell the difference between the normal user sitting in front of their web-browser at the site, vs. a different web-page invisibly making the same requests. Hopefully soon web-browsers will support the target site explicitly allowing these cross-domain requests. This is a feature that has been supported by Flash for some time I believe but for various reasons has been slow to get into XmlHttpRequest and other mechanisms that are native in the web/Ajax platform.

Over the years several techniques have evolved depending on your goals- these include use of script tags and JSON, various iframe techniques, invisible widgets and more. Keep your eyes open on this space for details of each approach.