What's the point of the Anti-Cross-Domain policy?

Question

Why did the creators of the HTML DOM and/or Javascript decide to disallow cross-domain requests?

I can see some very small security benefits of disallowing it but in

Answer 1

Here's a distinction for you: Cross-domain AJAX allows a malicious site to make your browser to things on its behalf, while JSON-P allows a malicious server to tamper with a single domain's pages (and to make the browser do things to that domain on your behalf) but (crucial bit) only if the page served went out of its way to load the malicious payload.

So yes, JSON-P has some security implications, but they are strictly opt-in on the part of the website using them. Allowing general cross-domain AJAX opens up a much larger can of worms.