After I read this article, what I understand is that in order to allow cross-domain ajax calls, I have to set the server response to be Access-Control-Allow-Origin: *(public for testing purpose), and here is my server code, Google AppEngine in Python

self.response.headers.add_header('Access - Control - Allow - Origin:*')
self.response.headers.add_header('content-type', 'application/json', charset = 'utf-8')
self.response.out.write(simplejson.dumps(Jsonobject))

I don't know if that is correct. And my Ajax call

xhr.open("get", "http://example.com", true);
xhr.setRequestHeader("Access-Control-Allow-Origin","example");

I always got this error. Origin null is not allowed by Access-Control-Allow-Origin. How do I configure this? Thank you very much

1. You need to use Access-Control-Allow-Origin, not Access - Control - Allow - Origin
2. I'm not sure that self.response.headers.add_header(str) is valid, maybe self.response.headers.add_header(key, name)?
3. * domain doesn't work (at least not for all browsers). You have to use exact domain, full name, with protocol. Like http://example.com
4. You need Origin header, for ajax call. I'm not sure how to configure raw xhr, but I guess that it's made by browser itself, and you can't modify this value. Anyway, your domain not example
5. Don't forget that it doesn't work for most of IEs and Opera browsers.

May be these lines of code solve your problem.

You can do one thing for that just need to set Access-Control-Allow-Origin & Access-Control-Allow-Headers in CustomeHeaders your web service web.config file.

 <add name="Access-Control-Allow-Origin" value="*" />
 <add name="Access-Control-Allow-Headers" value="Content-Type" />

If you want to allow only for specific domain , you can do that with specific value of domain instead of * value