[Answering several questions at once] I think jpg files do not fall under the security rules of browsers, probably just for historical reasons. (One could easily imagine a picture could contain sensitive information). Oddly enough, neither does loading script.
With your PHP page, essentially what you have done then is write your own data proxy server. This is the same solution most 'big' developments use. Their application is deployed as a solo application that talks only to the server that it was delivered from, and there is an enterprise-class proxy server that handles all data requests on that server. The tomcat server that comes with OpenLaszlo is configured to make it easy to prototype and develop applications and will automatically proxy data requests if you use it in proxied mode, but when you deliver your application, we _highly_ recommend that you _not_ use the tomcat development server. It is not secure and it does not scale well for serving large audiences. You should deploy a SOLO application and you should use a proxy server that will meet your security and scalability needs.
