Since it is straightforward to use JSONP in a script tag to fetch data from a different domain, shouldn't we allow XMLHttpRequest to do it as well? It doesn't make much sense to claim it strengthens security when it's possible to work around it, albeit with more messy semantics.
JSONP only works if the provider allows for it.
If cross domain AJAX worked, one of the first problems would be people posting to other domains in the hope you have an authenticated account there. This is CSRF.
They could GET a page authenticated as you, take your token, and then POST something malicious with your token (which tells the application this is an internal request).
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With