A loyal user recently made a non-malicious JS script on his web site that performs an AJAX request to one of my scripts on my web server (cross-domain). He noticed that this request went through and was performed successfully and brought this to my attention.
How might I go about disabling cross-domain AJAX requests? I thought this wasn't possible by default, but I guess I am mistaken.
Thanks in advanced.
While Same-Origin Policy isn't foolproof, it helps reject a fair number of requests; If you really want to be super safe and make sure only scripts on your site are allowed to make AJAX requests you could implement a token system similar to the way [Wordpress does it [URL="http://markjaquith.wordpress.com/2006/06/02/wordpress-203-nonces/"]with Nonces ([URL="http://en.wikipedia.org/wiki/Cryptographic_nonce"]Wikipedia page on Nonces](http://codex.wordpress.org/WordPress_Nonces))