I'm pretty sure the same-origin policy applies to localhost URLs as well.
However... if you're not interested in the response, you can get a browser to perform a POST request across domains via a form. I suspect this means we'd still need a password, even for "non-sensitive" commands, otherwise a rogue site could flood your client with (for instance) a thousand new address requestions.
So back to the auto-generated password again, but this time with limited server commands by default...
And I don't think it should go into mainline bitcoin until there is a compelling need for it-- and I don't think there will be a need until the 'click on a link, popup payment dialog from bitcoin' functionality is worked out...
That's true, and that was my main reason for proposing this. We probably should get that functionality working with
an explicit RPC password first.