In many places, I saw people talking about the XML-HTTP prototype Cross-Domain, which is not possible due to some security concerns . However, I did not find a message stating what these security reasons really are?
People mentioned that JSONP is one of the good alternatives. Another alternative would be to use Originand headers Access-Control-Allow-Origin.
Origin
Access-Control-Allow-Origin
However, I just want to know what security issues can be caused due to the use of cross-domain XMLHttpRequest?
, .
(example.org). script, AJAX facebook.com/messages/from/yourgirlfriend. facebook, Facebook, . Facebook , , . , , , , .
, , , , .
?
" " , , . , , , .
- , google, , SO, . , XSS . XHR gmail.com . CSRF , .
, Google Browser. , , , .
Access-Control-Allow-Origin: *, , - . . CSRF, . Captsca , ( , HTTPS). CSRF.
Access-Control-Allow-Origin: *
, , Javascript ( / ), ( ), , ( XMLHttpRequests , , ). .
JSONP - , , .
EDIT: : (, gmail yahoo). ( ) . XHR . XHR , /, , , - , , ( - , , ..). : - Javascript XHR . (, , ) , ( ). , , , , ( /..etc). , .