AFS Widgets interact directly with AFS Web Services (Search, ACP, Click, CKS, ...) through HTTP requests that are executed by web browsers using the AJAX technology.
The principle is simple: when a script has been downloaded from a domain, it assumes this domain is safe and thus can be requested through AJAX. Safe domains should not contain malicious scripts.
Many websites are vulnerable to XSS attacks. In a such attack, injected scripts cannot execute scripts using current page's data and sending them on other domains that can be malicious. The Same Origin Policy is aimed at limiting damages that can be caused by such attacks.
Unless AFS Web Services are installed in the same domain as the integration web site, a proxy is required to redirect requests to AFS Web Services.
Here is an example of proxy: