Well actually only the XPCOM objects can do it since it has the right
ownership, or should I say: SHOULD do it. Otherwise JavaScript that is
resourced from the extension could access it, which you wouldn't want
since that's a security hole. ;-)

So this works only in your extension:

----------------------------------------------8<-------------------------------------------------------------
var xml = Components.classes["@mozilla.org/xmlextras/xmlhttprequest;
1"]
.createInstance(Components.interfaces.nsIXMLHttpRe quest);

// xml.onprogress = INIT.onprogress('httpresult');

xml.open("GET", "http://www.google.com" , false);
xml.overrideMimeType("text/xml");
// bypass cache?
xml.channel.loadFlags |=
Components.interfaces.nsIRequest.LOAD_BYPASS_CACHE ;
xml.send(null);

if(xml.status == 200) {
// do stuff.
}
----------------------------------------------
>8-------------------------------------------------------------