The cross site scripting restrictions imposed by the browsers are both very important - for security reasons, and very frustrating - for the limitations they impose. If your not familliar with the single origin restrictions on XHR (XMLHTTPRequest object - the backbone of Ajax), they basically say that all requests must go to the same domain as the page that's requesting them.

For security, this is a very good thing.  Otherwise hackers could set up web pages with JavaScript that could steal all the info from sites you had logged into - such as your bank information, and the prescription for your herpes medication. Adobe's Flash Player has implemented a method of securing a domain, but opening it up to trusted domains using a cross domain policy file. Alas, no such thing exists for the browsers yet.

But let's say that there is some data you want to get to using XHR that isn't private - like search results, stock quotes, news about your favorite reality TV show. Along comes JSONP (padded JSON) to the rescue.

JSON, if you don't know is a data format for passing along well formed JavaScript objects. It happens to be very terse (tends to be smaller than XML), and much easier for the browser to parse than XML. JSONP is an unofficial standard where the JSON is sent back to the browser wrapped in a function call.

Using JavaScript, the clever coder creates a script tag node, set's the url to the service that passes back JSONP, and adds a unique tag (usually a timestamp) to prevent caching. The function call that wraps the JSONP is mapped to a callback which then cracks the data and does brilliant things with it.

It's great

I should repeat, however, that this format is not secure. It basically opens this data up to anybody - so personal or private data should NEVER be passed this way. You are also trusting the data source not to pass malicious code back to the page. You should be OK to grab search results from Yahoo or Google, but I wouldn't be pulling down script from any colleges in Russia.