Execute the following JS: var xhr = new XMLHttpRequest(); xhr.open('GET', 'http://www.notmydomain.com/'); Expected result: The XHR should throw an exception, like firefox and IE. Actual result: It does not throw an exception. From the spec: http://www.w3.org/TR/XMLHttpRequest/#xmlhttprequest If stored url is not of the same-origin as the origin of the Document pointer the user agent should raise a SECURITY_ERR exception and terminate these steps. See the attached demo page for a live test.
This is expected behavior. We've implemented support for cross-origin requests per the "Cross-Origin Resource Sharing" specification at <http://www.w3.org/TR/access-control/>. Firefox 3.5 also supports this specification and behaves similarly on your test case.
More specifically, please see <http://dev.w3.org/2006/webapi/XMLHttpRequest-2/>, which works in tandem with access control.
Thanks for the response. Glad to hear this is happening.