Does the XMLHttpRequest call to the second URL reside in exactly the same fully qualified domain name as that which served it?

That's usually the cause of security errors with AJAX applications. However....

If you're getting a 403, that's presumably from the webserver hosting the second CGI... can you check the server logs for the reason the request was denied?

-David