For all its utility in crafting dynamic web applications, XMLHttpRequest (the underlying browser technology behind jQuery's Ajax implementation) is subject to strict boundaries. To prevent various cross-site scripting attacks, it is not generally possible to request a document from a server other than the one that hosts the original page.

This is typically a positive situation. For example, it is possible to parse incoming JSON data by calling eval() (unlike jQuery.parseJSON(), which uses safer techniques). If malicious code were present in the file, it would be executed by the eval() call. The JavaScript security model limits the risk here by requiring that the requested file reside on the same server as the web page itself, ...