The use of XMLHttpRequest has one significant limitation: the same-domain restriction. A request through this object can be made only to the same domain from which the page was first requested, a key part of the JavaScript security sandbox (you can play only in your own "sandbox," thus avoiding the chaos that could result if code could connect anywhere). Among the reasons for this restriction is to ensure that the web page that contains the XHR request can't be used by a malicious site to access resources on a company intranet living behind a firewall. There are ways around this restriction, such as through signed script or setting security parameters in the browsers, but these options are being phased out as new browser versions are released.

Cross-domain access restrictions aren't normally a problem in a web application. After all, most of the web services are accessed from the same domain. In addition, if data is pulled from another domain, we can create proxies—server-side applications that access the data and then pass it on to the client—to assist us.

There is one circumstance, though, where we can't depend on the server to manage the data access of external data for us: the use of widgets.

Widgets have a history on the desktop and other environments, but they are fairly new in web development. Widgets are small objects, usually embedded in a sidebar, that provide a simplified application or access to data, such as getting weather ...