If you have an AJAX application that uses a PHP back-end app on a different server as your web front-end server (e.g. load balancing, cdn’s, etc), your PHP script will need to send header variables with the allowed content server name(s).
Web browsers are now following a standard for HTTP Access control to prevent client-side Cross Site scripting attacks.
I tested this with Firefox and it simply blocks the request without any error messages. Google Chrome browser will error out with the following message if the access control origin is not set correctly on your PHP script. (woot!)
“XMLHttpRequest cannot load [PHP URL].. Origin [JAVASCRIPT URL] is not allowed by Access-Control-Allow-Origin.”
For example, if the Javascript is hosted on example.com and your PHP app is on example.org.