Is it possible (with user permission) to do cross site requests with JavaScript in a webpage in the same way as you would do in an extension?

Google is about to release its PC and OS. You'll be able to code for that machine only with browser technologies - i.e. JavaScript. So I expect some tools to be available already.

On the web JavaScript has a same origin policy to prevent 开发者_如何学GoXSS attacks. In extensions it is free to wander around.

So the question is: can I write a page or (if you prefer) an online app that is authorized (after user confirmation, of course) to do all the cross site requests it feels needed? I know this is possible when you write an extension, but I'd prefer something that doesn't stick so much in the user's browser. [Edit] I know there are solutions if you have control of both sites involved. But I'm asking if it is possible to access, for instance, google or yahoo APIs: sites I've no control over.

For instance say I want to write a frontend for some API (REST, JSON, XML: not a script tag, cross-site compatible API): I need to host it somewhere (a different host than the API provider) but I need to make unrestricted calls to that domain and read responses too. I understand the security risks, I'm talking about asking the user's permission first (as you do when you install extensions).

If you need to have the browser and server agree to access data you can look into CORS: http://www.w3.org/TR/cors
https://developer.mozilla.org/en/HTTP_access_control

Basically you add a header on the server on all requests that tells the browser that the server is aware of cross origin and is OK with it.

It is surprisingly simple. There are a few gotchas. One being the so-called preflight dialog the browser and server engage in when there is a non-standard header. Some frameworks insert such a header which triggers this dialog. What it means in practise is the need for the server to add the cors headers to all responses including the OPTIONS header!

If you as you later mention, you want to request privileges from the user to bypass security restrictions, you need to look into signed scripts: http://www.mozilla.org/projects/security/components/signed-scripts.html