One of the most basic tenets of browser security is the same-domain policy, which enforces the rule that a page loaded from one domain may not connect to any other domain. This rule is enforced by all major browsers, so that a malicious script that might have been injected at some point in the server cannot stealthily connect to a remote server and transmit sensitive details about the user (or worse).
There are, in fact, three exceptions to this rule, and those are CSS files, image files (gif, png, jpeg, and so on), and JavaScript files. That's right, it's perfectly legal to load an HTML page from domain x and have it in turn load JavaScript files from domainy.
In fact, without that feature, it wouldn't be possible to load and use AOL's CDN to load Dojo in the examples in this book.
But maybe you know this and have tried to use Dojo's XHR methods to load resources on remote servers which are encoded as JSON like the Yahoo Search API. Dojo does allow that...