As of today, cross Domain XHRs are not "allowed" either in IE 7.0(?) or Firefox 126.96.36.199 . While testing this, I came across a very interesting find.
Firefox is so strict that it even treats ‘localhost’ and ‘127.0.0.1’ as being different domains. Here's a screenshot of the message from Firebug:
IE [6.0] on the other hand is a very permissive [some would argue less secure]. It just displays a security dialog [even for a HTTP Get/Post to http://www.google.com] and if user clicks 'Yes', it ALLOWS even Cross domain XHRs.