One of the well-known security limitations in AJAX is cross-domain requests. Domain A cannot make requests to domain B. Many workarounds have been made to overcome this. One method is On-Demand Javascript which exploits the fact that a page can load Javascript files in <script> tags from remote domains. These scripts are executed automatically when they are completely fetched. One drawback is that you can not be notified (or callbacked) when the source gets executed. If the remote site is cooperative (which is almost not the case!), it can return js code to call a function inside your page with any response as its actual parameters.

Another approach to solve the cross-domain problem is the sub-domain approach. Where you assign the remote domain IP to a subdomain under your domain. Apparently, this cannot be distributed to your end-users.

This problem does exist also in IFrame AJAX pattern. If a page in domain A sets source of a child iframe to a page in domain B, page A cannot read document of page B, nor change its contents, intuitively!

One solution to this is to communicate through URL of iframes/windows. Yes, they can get/set URLs of each others. But again, they have to be cooperative!

A proposed solution is to use Greasemonkey Firefox plugin to make sites cooperative. You can attach any Javascript to any site. However, exchanging information through URLs is not totally convenient nor optimal.

Tired of partial or sub-optimal solutions? Now behold... CrossFox! Its my latest (and first indeed) Firefox plugin that directly attacks the problem. Once you install it, you get one extra little configuration in your Firefox Preferences window under Security tab. Just type in your trusted domains and all security limitations are void for them!

The idea relies on Mozilla's Configurable Security Policies by defining a new security policy that allows a set cross-domain limitation-overrides for a set of domains of user preference.

For example, causes a Permission denied exception, so is included in the set. Currently, the set defines methods that would break browser security for a test application. It is expected to dilate as the test application dilates as needed.

To try the plugin yourself, download the attached file:, rename it to crossfox.xpi then drag-n-drop it on your Firefox window and it will be installed.

Then write your normal AJAX code to do the request on a remote server.

For example:

var xhr = new XMLHttpRequest();"GET", , true);

xhr.onreadystatechange = function() {