JavaScript's same origin policy security model means that a script can't (directly... there are sneaky ways aroun dit) request data from another site. It's quite strict. foo.site.com is different to site.com.
One thing I'd always assumed, but now I see how it wasn't a sensible assumption, was that the piece of code calling the data had to be served by the same domain name it was going to be calling. I've just done a little test of this, and discovered that's not true.
So if you're dead keen to see it, have a look at this test which loads the script from stout.rumble.net and actually loads Prototype from somewhere completely different. It has no trouble pulling data from www.rumble.net, but won't let me drag data from stout.rumble.net.