1. from the same host 2. through the same port 3. by the same protocol
There is one happy exception - you can bypass the limitation for subdomains of the same domain, such as sub1.domain.com and sub2.domain.com. You do this by reassigning document.domain to the short version, e.g.
document.domain="domain.com". This allows windows from the root domain to interact with windows in different subdomains.
You're correct that a "trusted script" can have more freedom - I've never written a signed script and I've only ever read about it (here's one solid reference: Netscape DevEdge [developer.netscape.com].) I understand it can be a bit unwieldy in many situations. Given that, a "real" app just may be the way to go.
That's not a definitive answer, I know. Hope the references will help you make a good decision for your situation.
[edited by: tedster at 12:42 am (utc) on June 7, 2003]