Used client-side you are still exposing yourself to cross-site security issues and the like. While you are right that the client-side JS environment is prone to this by other methods, this doesn't mean you shoud open up this method too.