Yeah, the simple answer is that normally you can't do REST requests with XMLHttpRequest to arbitrary other URLs, because of the same-origin security policy that browser enforce. Otherwise a web page could steal cookies and do many kinds of request forgery if you sent requests to other sites that the user is logged in to. To make exceptions to that rule, browsers implement this protocol for cross-origin requests that let web services say "it's ok to ask me stuff from other domains' context". More info at Zalweski's excellent Browser Security Handbook: https://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy_for_XMLHttpRequest Before browsers gained support for this mechanism, they were using this crazy thing called JSONP. It means you reference the remote json document using <script src> so you just evaluate the remote json as straight javascript, which is pretty bad from a secutity point of view (gives the remote full control of your javascript execution context). It had other problems too. You can see an example (you only do the "simple requests" usually)at https://developer.mozilla.org/en/docs/HTTP/Access_control_CORS#Simple_requests So the server including the Access-Control-Allow-Origin header in response to the browser's Origin header is what OK's it form the browser's point of view. Erno
You can get more information about our cookies and privacy policies clicking on the following links: Privacy policy Cookies policy