To reliably use cross-domain AJAX in your extension, you have to go through Crossrider's request.get() and request.post() APIs. Simple jQuery AJAX requests won't cut it due to browser portability problems. This means we needed to adapt Backbone to use this proprietary API for its persistence calls, like .save() and .fetch(). Here's how we overwrote Backbone.ajax to swap in the Crossrider API:
Something to keep in mind is that only GET and POST requests are supported here, since Crossrider only offers request.get() and request.post(). However, you can fake other HTTP actions by supplying the X-HTTP-Method-Override header with your request. Just set the value to whatever HTTP action you actually intend, like the sorely missing PUT and DELETE.