There’s a lot of talk around at the moment about how to allow cross-domain AJAX requests without compromising security. What I don’t get, is why this whole thing is an issue. What’s the difference between the two examples below:

Option 1: Browser connects to site A which loads JavaScript and initiates a request via AJAX to site B.

Option 2: Browser connects to site A which loads JavaScript and initiates a request via AJAX back to site A. The server at site A proxies the AJAX request to site B.

There’s no reason that site A can’t act as a simple tunnel straight through to site B so the only difference is which IP the connection comes from and that could be hidden by routing through a bot net. All the client browser cookies and other information included in the request would be passed through to site B so it can still be used to track users across domains. Where is the benefit to security or privacy by adding this restriction?