Why are cross-domain AJAX requests labelled as a “security risk”?

Question

By default, browsers don\'t allow cross-site AJAX requests.

I understand that a badly envisioned cross-domain request can be a security risk. If I take the

Answer 1

The risk isn't to the site making the request.

For example:

1. Alice visits Her Bank and logs in.
2. She then visits Evil Site.
3. Evil Site uses JavaScript to cause Alice's browser to make a request to Her Bank
4. Her Bank responds with Alice's account details and passes them to the JavaScript
5. The JavaScript then passes them on to the controller of Evil Site

In a nutshell — it prevents attackers from reading private data from any site that Alice has credentials for (and ones that are behind a firewall, e.g. Alice's corporate Intranet).

Note that this won't prevent attacks which don't depend on being able to read data form the site (CSRF), but without the Same Origin Policy the standard defence against CSRF would be easily defeatable.

Answer 2

You're absolutely right with your second point re JSON/XML. When proper precaution is taken, there is no risk in receiving JSON from another domain. Even if the server decides to return some nasty script, you can effectively manage risk with proper data parsing. In fact, this is exactly why the JSONP hack is so popular (see twitter's search api for example).

Already we're seeing HTML5 capable browsers introduce new objects and standards for cross domain communication (postMessage - http://dev.w3.org/html5/postmsg/ and Cross-Origin Resource Sharing - http://www.w3.org/TR/cors/ ).