Ajax - Cross-Site Scripting requirement makes my API useless

Maybe I m just not understanding this right, but this doesn t seem to make sense to me. I have an MVC4 project exposing an ASP.NET WebApi. It works great making calls to the API within that project, but obviously making calls to it from another running project (on another port) requires cross-site scripting.

But here s my question: Doesn t this defeat the purpose of an API? If I want to make calls to the reddit API from my site, the fact that this is considered cross-site scripting makes it not only a bad security practice, but in some cases impossible.

If XSS is required to do this, doesn t that make AJAX pretty useless as a whole?

  Simple answer:    Of course not!! Pretty much the whole of the modern web is built on AJAX, if it was so pointless it would never have gone from a MS proprietary API to being the backbone of web 2.0 and all that has come since.

http://en.wikipedia.org/wiki/Same_origin_policy http://en.wikipedia.org/wiki/Same_origin_policy

http://en.wikipedia.org/wiki/Reverse_proxy http://en.wikipedia.org/wiki/Reverse_proxy

Hopefully this all makes sense, it ll at least give you a good foundation of knowledge to build from.