Lucas has posted an update that confirms the two points I made in my previous post:
- Safari does not allow cross-site AJAX. (It allows it only when it loads a local file, but that’s a good thing for prototyping.)
- Cross-site AJAX would be a huge problem for intranet issues.
I’m not sure that Lucas’s discovery is new. In fact, I was trying to describe exactly the problem he’s now explained. But no matter, the result is that this problem is now better understood by all, in particular thanks to Lucas posting some sample code that shows just how nasty this could get.
UPDATE: I guess I wasn’t persuasive enough, so I added an extensive comment on Lucas’s site. Hopefully that will help to clear things up. I’m not trying to scare anyone with this cross-site AJAX stuff, but it’s important to be very clear about the possible security issues.