What is the purpose of the XHR cross domain restrictions?

Question

I was always wondering what the purpose of the XHR cross domain restrictions is.

It seems the intention is to prevent maliciously injected Javascript from sending private data to the attacker. However, sending data to any domain is easily possible with an injected script or img tag (or any other external resource for that matter).

Answer 1

If any arbitrary website could make an XHR call to your website, then the following could happen:

1. Innocent user Alice logs into your secure website and acquires a secure session cookie.
2. In another browser tab, Alice visits Bob's evil hacker website (which she thinks is just a Justin Bieber video)
3. Bob's page issues an XHR to your secure website. Without the cross-domain policy, the browser would issue the request to your website — including the secure session cookie — and retrieve the results. Those results could include anything available to Alice while she's logged in to your secure site.

As it is, even with the cross-domain policy, Bob's evil website can in fact POST an HTTP request to your server by posting a form. It won't be able to see the results, but if Bob is clever he may have discovered a URL in your site that allows some activity from a POST even if it's not from a form on one of your pages. That's called Cross-Site Request Forgery, and it's something the browser cannot protect you from.