Why are cross-domain AJAX requests labelled as a "security risk"?

Question

By default, browsers don't allow cross-site AJAX requests.

I understand that a badly envisioned cross-domain request can be a security risk. If I take the html or the javascript of an external site and just "render" it into my website, that's a problem. That external code could be used for lots of bad things - like getting access to the current user's session data.

But if I only request JSON or XML data, and I use a proper library to parse the JSON (not just using eval) I can't imagine how that would be a security risk. The worse that can happen is that the content coming from that site doesn't render correctly.

Am I missing anything? Is it possible to compromise a page that reads json/xml simply by sending it some kind of malicious data?

Answer 1

The risk isn't to the site making the request.

For example:

1. Alice visits Her Bank and logs in.
2. She then visits Evil Site.
3. Evil Site uses JavaScript to cause Alice's browser to make a request to Her Bank
4. Her Bank responds with Alice's account details and passes them to the JavaScript
5. The JavaScript then passes them on to the controller of Evil Site

In a nutshell — it prevents attackers from reading private data from any site that Alice has credentials for (and ones that are behind a firewall, e.g. Alice's corporate Intranet).

Note that this won't prevent attacks which don't depend on being able to read data form the site (CSRF), but without the Same Origin Policy the standard defence against CSRF would be easily defeatable.