Because of this
The fix is to not execute responses from 3rd party origins by default and make it an option. Don’t know who to cc to discuss it.
P.S. I would switch it off for same origin either, because using subtle redirect_to saving tricks we can redirect user to local JSONP endpoint and still get an XSS but those are much more sophisticated vectors.