When a user requests a page from your app domain (1), the client-side
communication is bound only to that domain. Your app can issue
client-side calls from the page only to other resources in the same
domain. However, apps usually require resources from other domains, such
as the SharePoint domain, to fulfill their scenarios. In the code in
your page, you may try to issue a request to the SharePoint domain (2),
which is blocked by the browser. You usually see an Access is denied
error. The error doesn’t imply that you don’t have permissions to the
requested resources but, most likely, you can’t even issue a request to
the mentioned resources.
When you use the cross-domain library, the webpages in your
app can access data in your app domain and the SharePoint domain. The
cross-domain library is a client-side alternative in the form of a
JavaScript file (SP.RequestExecutor.js) that is hosted in the SharePoint
website that you can reference in your remote app. The cross-domain
library lets you interact with more than one domain in your remote app
page through a proxy. It is a good option if you like your app code to
run on the client instead of on the server, and if there are
connectivity barriers, such as firewalls, between SharePoint and your
remote infrastructure. You can access data in the host web—for example,
you can access lists that end users interact with regardless of your
app. Or you can access data in the app web, such as lists specifically
provisioned for your app. Apps can also access other site collections
and websites as long as the app has tenant-scoped permissions and it has
been deployed as a batch installation using the app catalog.