Ajax: Is talking to outside domains safe?

One of the topics that pops up all of the time is the XMLHttpRequest's inability to talk to any domain outside of its own. Yes we can change this by altering the browser settings, playing with the privilege manager, and signing scripts. These things are extra steps that people do not want to do when developing a small application. Plus they also add insecurity about the user's actions on the options they choose when visiting your site.

I personally do not think that the browser should be able to open requests to another domain. This would be opening a security hole. I am probably one of the only developers that believe this, but I see it as a bigger issue in my eyes with script kiddies and people up to no good.

Everyone thinks that it would be better to make a request to the outside domain. I rather call my server side page on my domain and have that retrieve the data. Now I can cache this data on my server so I do not have to go and keep getting the data. Caching this data on the client is not really possible if we are talking page refresh and traditional postbacks. We would loose this data and have to get it over and over on an uncertain crowded congested pipe across the internet. What if your server is in the US, the client is in the US, and the remote service is in India. The request has to travel halfway around the world and back to retrieve the same information it could have had on its US server. You are talking increased time having to wait for information.

If the client can hold session data, then we may be able to open up requests to outside domains, but we would have to some how secure this new data transfer or will see bigger holes for people to attack.

Eric Pascarello
Coauthor of Ajax In Action
Moderator of HTML/JavaScript at www.JavaRanch.com
Author of: JavaScript: Your Visual Blueprint for Dynamic Web Pages