I see the security risks with cross domain ajax calls,
but I think the real problem are the cookies that the browsers
automatically send to the target cross domain.
So why can't browser just not send cookies in the case of cross domain js request instead of blocking that request altogether ?
I hope my question makes sense.
EDIT:
from: https://en.wikipedia.org/wiki/Same-origin_policy
While this is true, the JavaScript has no direct access to the banking session cookie, but it could still send and receive requests to the banking site with the banking site's session cookie, essentially acting as a normal user of the banking site. Regarding the sending of new transactions, even CSRF protections by the banking site have no effect, because the script can simply do the same as the user would do
So Suppose I'm logged on facebook and meanwhile visiting a mslicious site that use cross site requests to facebook to steal information about me, I mean the only reason it could do it is because a legitimate cookie is included in the requests by the browser, am I wrong ?
