Why Cross-Domain AJAX call is not allowed?

Because of Same origin policy.

The same-origin policy exists to prevent malicious use of resources. If there were no rules governing cross-domain script access, it would be trivial to wreak all manner of havoc on unsuspecting users. It would be easy, for example, for a malicious website to grab your session information to another site and execute actions on your behalf.

For one example, consider this:

You go to your favorite webmail program - it could be Gmail, Yahoo mail, Hotmail, or a private internal company webmail program.

After signing in and checking your email, you click a link to a malicious site which opens in a new tab.

The malicious site checks the http referer and sees that you came from your email account.

Using cross-domain scripting, the malicious site reaches back across into your email tab and downloads your address book and all your emails (or however many it can get before you close the popup).

Subsequently, after scanning your emails for passwords, financial data and other sensitive materials, it sends all your contacts an email from you endorsing the same site. And that's just one example. A more insidious plot would involve a malicious third party using your browser to spider your company's intranet, leaking classified information with you as the unwitting accomplice!

More on http://jimbojw.com/wiki/index.php?title=Introduction_to_Cross-Domain_Ajax


The Same Origin Policy has been implemented for security reasons ; quoting a relevant sentence from wikipedia :

This mechanism bears a particular significance for modern web applications that extensively depend on HTTP cookies to maintain authenticated user sessions, as servers act based on the HTTP cookie information to reveal sensitive information or take state-changing actions.
A strict separation between content provided by unrelated sites must be maintained on client side to prevent the loss of data confidentiality or integrity.

Basically, you don't want any given website (like any website you might be surfing on -- and we all know people sometimes arrive on websites that you shouldn't trust) being able to access data from any other one (like your webmail, or account on a social network).