If the API required a proxy, we wouldn't
see mt.google.com and wsdot.wa.gov in
busmonster's subsequent http headers.
Sites using the Maps API are loading 3rd
party data without proxies and without
triggering same-origin exceptions.
I now have an answer to my earlier question.
I registered a Google Maps API key and did a bit of hacking on a
local copy of the script. It turns out that it was a trick question
because the API script isn't sidestepping the same origin policy at
all. But at first glance it looks like it does.
I mistakenly thought the Maps API was doing something like this:
1. onmousedown, start to track pan
2. onmousemove, track position as map is panned
3. when a set threshold is reached, send new position to map server
4. map server sends back a set of URLs for the needed images
5. script inserts these new images into the DOM
In the speculative steps above, numbers four and five violate the
same origin policy as text strings from the foreign server are
finding their way into the DOM (as IMG src attributes). But this is
not what's happening.
The image URLs are built internally according to a predetermined
scheme. Nothing is being injected in to the DOM from the map-server.
Seeing GMap's tiles load in to Busmonster only gives the impression
that something is finding its way in [to the DOM] from the outside.
Of course, the binary image data is being loaded by the browser on to
the screen and *not* in to the DOM (as IMG src attributes only serve