Ok so right now the only type of cross-domain browser request that is not allowed are ajax calls. This still leaves cross-domain images, iframes, css files, &#106avascripts. Im getting really tired of every website I go to having a dozen different embedded tracking services/adware services/social networking scripts. It seems like theyre everywhere, and its a huge privacy breach. No one is interested in Facebook's "Like" mugshot plugin. I think the browser should allow you to ban all cross-browser elements. This is the only real way of guaranteeing your privacy. Ive searched how to do this with Firefox, but there doesnt seem to be an option for it (only to disable frames). Im considering writing my own plugin just to block cross-domain requests. Of course the plugin would have to allow exceptions. Btw Adblock Plus does not solve this problem either. What does anyone think of this?

Well, the problem is that it would break legitimate uses for cross domain requests, such as content delivery networks.

The better solution is to blacklist the domains you don't want (and you don't need a plug-in to do that), but then the issue is: nothing is free; so would you rather Facebook was a paid service, or would you rather the slight annoyance and award them their advertisement revenue?

[Edit] Re: privacy. If you are truly worried about privacy, then I would recommend you stay away from Facebook altogether. Mark Zuckerberg has made it clear that he believes privacy is no longer relevant in social media (though he will try to make his users happy, naturally).

[Edit2] Also, cross-site ajax requests are a part of XHR Level 2, and modern browsers are gaining support for it(e.g. Firefox, WebKit). And that ignores techniques like JSONP.

[Edited by - jflanglois on May 9, 2010 11:13:39 AM]

I agree that having a list of blocked domains is a partial solution to the problem (thats what Adblock does), and I agree that sometimes cross-domain requests are needed and legitimate.

But I think that this should be opt-in, not opt-out. If I sign up for a social networking service on a website, then I only want to interact with that site only when I am on their domain. I dont want them to be able to track me when I go to another domain on a blog that has an embedded "share this" or "Like" button.

You have opted in, though, by signing up for the service. Although I agree that you should have more control over how you interact with these services, I think that a technology solution would only serve to mitigate the problem. The debate, I think, really belongs in the legal space.