XSS is not a feature that can be enabled in jQuery. It would be very very unusual if the jQuery core had an XSS vulnerability, but it is possible and its called DOM-based XSS.
"Cross-Origin Resource Sharing" or CORS isn't the same as XSS, BUT, but if a web application had an XSS vulnerability, then an attacker would have CORS-like access to all resources on that domain. In short, CORS gives you control over how you break the same origin policy such that you don't need to introduce a full on XSS vulnerability.
The $.support.cors
query feature relies upon the Access-Control-Allow-Origin
HTTP response header. This could be a vulnerability. For example, if a web application had Access-Control-Allow-Origin: *
on every page, then an attacker would have the same level of access as an XSS vulenrablity. Be careful what pages you introduce CORS headers, and try and avoid *
as much as possible.
So to answer your question: NO a web application never needs to introduce an XSS vulnerability because there are way around the SOP such as CORS/jsonp/cross domain proxies/access-control-origin.
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…