What are the security risks in using cross-domain XMLHttpRequest?

Question

In many places I\'ve seen people have talked about the Cross-Domain XMLHttpRequest, which is not possible, due to some security reasons. However, I haven\'t

Answer 1

If it was allowed, an attacker who manage to inject Javascript into your page (through exploit/social-engineering) can send data (usually sensitive) which are acquired from your clients without them knowing (since XMLHttpRequests don't require user actions to occur and they are silent). It is a browser security measure.

JSONP is just a work around this security measure, where you give the destination a callback and entrust them with whatever they will give you back through this callback.

EDIT: Examples of a security risk: you login to your email account through the web (like gmail or yahoo). You carry on browsing (in another tab or even in the current tab) to another malicious site. This malicious site try to do XHR to the same website of your email account. Since the XHR is on your behave, and since it is client/browser-side request, this request will have the same session you used to login, and therefore, this website can do whatever they want with your account (send a spam mail through your account, download your contacts, ...etc). Another example: In a forum, someone manage to inject Javascript with XHR to another website. He now can steal the contacts list (and maybe then delete them) from all the people who visit his post in the forum (by using the same session of your web email). Not to mention that he can share the session of the members of the forum visiting his post to get whatever data they have in the forum (private messages/friends..etc). He can then send these data to his server to save them.