javascript - Why forbid cross-domain ajax when script tags work? -
since straightforward use jsonp in script tag fetch data different domain, shouldn't allow xmlhttprequest well? doesn't make sense claim strengthens security when it's possible work around it, albeit more messy semantics.
jsonp works if provider allows it.
if cross domain ajax worked, 1 of first problems people posting other domains in hope have authenticated account there. csrf.
they page authenticated you, take token, , post malicious token (which tells application internal request).
Comments
Post a Comment