Why are cross-domain AJAX requests labelled as a “security risk”?

Question

By default, browsers don\'t allow cross-site AJAX requests.

I understand that a badly envisioned cross-domain request can be a security risk. If I take the

Answer 1

The risk isn't to the site making the request.

For example:

1. Alice visits Her Bank and logs in.
2. She then visits Evil Site.
3. Evil Site uses JavaScript to cause Alice's browser to make a request to Her Bank
4. Her Bank responds with Alice's account details and passes them to the JavaScript
5. The JavaScript then passes them on to the controller of Evil Site

In a nutshell — it prevents attackers from reading private data from any site that Alice has credentials for (and ones that are behind a firewall, e.g. Alice's corporate Intranet).

Note that this won't prevent attacks which don't depend on being able to read data form the site (CSRF), but without the Same Origin Policy the standard defence against CSRF would be easily defeatable.