Hi all,
I have XMLHttpRequest object that connects to a web site in the
background, gets, post stuff. All good so far and working.

How do I hide the code so that the end-user can't see which web site I
am connecting to? I thought of creating a .JS file, but they can access
that using the absolute path. I know Google's view source will show you
all garbage only..no mention of web sites to connect.

One sense of assurance is that Ajax will not allow from diff domain. So
end-user can't create his form and try to submit something. But they
can always create a regular form and without using Ajax try to post to
my server. That will work.

Even if I give a sample ticket from the jsp session to the Ajax
javascript that they are supposed to give me before using the
server..will that work? How else can I prevent pple from messing up my
server. I want them to request a particular jsp using Ajax only thru my
application no other way.