what all are the allowed things that can be accessed from otherdomain.com? I mean can we have <img src="otherdomain.com/xyz.jpg">
You need to distinguish between "show" and "access". You can include the image, but you cannot access it's data because of the same-origin-policy (SOP).
Similarly can we directly use otherdomain.com in iframe src? What all are allowed by default?
You can include everything that can be linked, from stylesheets, scripts, images to whole pages via frames. Executing scripts from other domains is actually a standard method for getting data, called JSONP; and including resources from third-party-CDNs is common as well.
What can be done to prevent access from otherdomain.com's perespective?
You can use the X-FRAME-OPTIONS
-header to prevent inclusion via frames, which should be respected by the most browsers.
You could try to avoid answering requests (sending 404 content) with the wrong REFERER
header, but that's not a reliable method since REFERER is often disabled by browsers or blocked by firewalls.
2nd part is related to JavaScript/AJAX. Is otherdomain stuff blocked by default in script related thing ? Using AJAX, can I by default make a requst to otherdomain.com ? Is it allowed?
No, the access to the data is blocked. You can send the request, but the response will not be available to your script unless CORS headers are sent to explicitly allow it.
What can be done to get response from otherdomain.com, if it is not allowed ?
You can use a proxy on mydomain.com.