There are many situations on the browser client when it would be desirable to make an AJAX call to a web-site or web service to fetch data. Many a time, the data source is on a different domain than the one from where the request is originating. These are called cross-domain requests. All browsers discourage scripts from making cross-domain requests as they are wary of the security implications in allowing arbitrary data requests across trust boundaries. At Scibler, the browser plugin that gets activated on the google mail domain needs to request data from Scibler servers to create an integrated experience for a user.
Partial mitigation of 2 important attacks is a reason why browsers advocate the Same Origin Policy (SOP) for data requests. One is called XSRF or CSRF (pronounced sea-surf) and the other XSS.
[XSRF] (http://en.wikipedia.org/wiki/Cross-site_request_forgery) stands for Cross-site Request Forgery, where in, trust on a user's browser that is providing a session with a particular site is hi