The cross domain restrictions are stupid and flawed. While browsers stop cross domain xmlhttp request (the low level javascript call behind ajax), the self-same browsers do allow '<script>' tags to include scripts from any domain.
So if you can simulate the xmlhttp request to an external domain using a <script>, you defeat the stupid and flawed cross domain restriction. In practice instead of calling xmlhttp to (say) www.externaldomain.com which would fail, dynamic html is used to insert <script src="http:// www.externaldomain.com/script.js" /> when this script executes it may set a variable that other scripts on the page can see, or may call a (callback) function that is elsewhere on you page (and so within your domain). So it does violate the principal of the policy, but the policy was stupid so we are lucky that it was so badly implemented... Paul /)/+) On Feb 26, 1:18 pm, Amirh <[email protected]> wrote: > there is something that i don't understand. From what i know, you > can't use AJAX from different domains. So when i use the google ajax > api from a non-google domain, how the browser allows it to make the > query? > Isn't it a violation of the security policy for ajax? > > Amir --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Google AJAX APIs" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/Google-AJAX-Search-API?hl=en -~----------~----~----~----~------~----~------~--~---
