Why are cross-domain AJAX requests labelled as a “security risk”?

Question

By default, browsers don\'t allow cross-site AJAX requests.

I understand that a badly envisioned cross-domain request can be a security risk. If I take the

Answer 1

You're absolutely right with your second point re JSON/XML. When proper precaution is taken, there is no risk in receiving JSON from another domain. Even if the server decides to return some nasty script, you can effectively manage risk with proper data parsing. In fact, this is exactly why the JSONP hack is so popular (see twitter's search api for example).

Already we're seeing HTML5 capable browsers introduce new objects and standards for cross domain communication (postMessage - http://dev.w3.org/html5/postmsg/ and Cross-Origin Resource Sharing - http://www.w3.org/TR/cors/ ).