Since using JSONP in a script tag to retrieve data from another domain, should we not allow XMLHttpRequest to do this? It makes no sense to argue that this enhances security when you can get around this, albeit with more dirty semantics.
JSONP only works if the provider allows this.
If the cross-domain AJAX worked, one of the first problems would be placing people in other domains in the hope that you have an authenticated account. This is CSRF.
, , , , POST - ( , ).
JSOP - , , , - , , (, JSONP script XHR, JSONP - , , ).
, ECMAScript, , , , , - . , , XHR, cookie , , mashup , . .