There was more than one moment in the last month, in which I wondered about the reasons behind the same-origin restriction on the XMLHttpRequest JavaScript object’s destination URL. This restriction effectively prevents JavaScript initiated cross domain http requests. None of the other network aware elements of HTML/JavaScript are subject to such a policy (e.g. images, iframes or scripts).

Finally somebody convinced me: Lucas Carlson describes in a recent Blog entry how cross domain XMLHttpRequests could be employed to subvert firewall protection. A malicious JavaScript executed by a web browser behind a firewall would be able to communicate the content of any http intranet server, which would otherwise be protected by the firewall, to any host on the internet. Such a script is furthermore able to do a complete port scan on the intranet, thus discovering services and further attack targets.

What a pity, cross domain Ajax would be so much fun otherwise.