Cross-Domain XHR
Canvas apps are loaded on a Salesforce page in an iFrame. The Canvas
app has its own domain and can't make XML HTTP request (XHR) calls back to the
*.salesforce.com domain. You can develop and deploy your own proxies as part
of the SDK, however, Canvas provides a client-side proxy written in
JavaScript. This proxy enables client-side XHR calls back to
Salesforce.
If you use this proxy from the client to make an XHR request, the API forwards the request to the outer iFrame and the request is submitted on your behalf. When the request is complete, the SDK calls the client’s callback function with the results. Here are some examples of how you can make XHR calls: