By default ajax requests that go across domains are blocked by most modern browsers, read Chrome, Firefox and Internet Explorer 8+.
To enable this functionality you need to add new headers to your sever specify the domains that can access your data or just let anyone in.
Full details can be found here: http://enable-cors.org/index.html
If you cannot be bothered to read the article then you just need to add the following headers.
X-Requested-With, Content-Type, Accept
GET, POST, PUT, DELETE, OPTIONS
GET, POST, PUT, HEAD, DELETE, TRACE, COPY, LOCK, MKCOL, MOVE, PROPFIND, PROPPATCH, UNLOCK, REPORT, MKACTIVITY, CHECKOUT, MERGE, M-SEARCH, NOTIFY, SUBSCRIBE, UNSUBSCRIBE, PATCH, SEARCH
Obviously the above is over kill and can be cut down to meet your specific requirements.
For example (2) could be reduced but you may find you have to keep the OPTIONS value in as this can be issued by the browser before a GET or POST to determine what the server supports (a preflight request).
The value of “*” for (3) allows any site to access your data using XmlHttpRequest, this could be reduced to a list of space separated domains if required.
The final list (4) is again over the top and could be reduced significantly.
If you happen to be using OAuth 2.0 then and sending the
access_token via the header, rather than the querystring, then you need to add
Authorize to the
Access-Control-Allow-Headers, as the token should be sent using the
In fact if you use any custom headers then you’ll need to add them all as CORS strips them all out.