Why forbid cross-domain ajax when script tags work?

Since it is straightforward to use JSONP in a script tag to fetch data from a different domain, shouldn't we allow X开发者_运维百科MLHttpRequest to do it as well? It doesn't make much sense to claim it strengthens security when it's possible to work around it, albeit with more messy semantics.

JSONP only works if the provider allows for it.

If cross domain AJAX worked, one of the first problems would be people posting to other domains in the hope you have an authenticated account there. This is CSRF.

They could GET a page authenticated as you, take your token, and then POST something malicious with your token (which tells the application this is an internal request).

Actually JSOP is a clever workaround for the limitations of the same origin policy but what it is is basically a self-inflicted cross-side scripting attack (remember that JSONP warks by using script tags instead of XHR so you give total control over your entire page to your JSONP data provider - usually they're not evil but sometimes they're incompetent so keep that in mind).

There is a lot of discussions on how to fix the same origin policy in new versions of ECMAScript because clearly it doesn't work if it has to be circumvented to make any kind of mashups. An interesting idea in my opinion is having a cheaper version of XHR that would send no cookies or useless headers and so would be able to prevent cross-site request forgery attacks but still allowing safe mashups without giving the data provider total access to your page. But we still have to wait for it.