By Cesar


2009-07-23 11:00:18 8 Comments

From: https://developer.mozilla.org/En/Same_origin_policy_for_JavaScript

The same origin policy prevents a document or script loaded from one  
origin from getting or setting properties of a document from another origin.
This policy dates all the way back to Netscape Navigator 2.0.

So why is not the same origin policy enforced?, when a have a script tag like this:

<script src="//ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js"></script>

I'm sure I'm missing 'something', I've read
http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy
a bunch of times but can not figure out...

3 comments

@RichieHindle 2009-07-23 11:07:37

<script> tags are an exception to this rule. A page is allowed to "invite" a script from another server, and that's considered OK.

(The whole economy of the internet - on-page advertising - is based on this being allowed! Although it does represent a security risk, it's not going to change any time soon.)

@Sam Hasler 2009-07-23 11:03:58

HTML can load from wherever it likes, it's another script running on the page that can't fetch documents from another origin.

@Cesar 2009-07-23 11:08:45

That's the kind of answer a like. Simple but concise.

@NickFitz 2009-07-23 11:22:42

What Cesar said :-) It's also worth pointing out that the same-origin policy applies to the domain of the page, not the script: a script loaded from example.net by a page at example.com will only be able to access example.com, not example.net.

@Quentin 2009-07-23 11:03:19

Scripts are not documents. They run in the context of the document that includes the <script> element.

@Cesar 2009-07-23 11:06:21

Can you point me to a reference where this is explained more clearly, from above: ...prevents a document OR script...

Related Questions

Sponsored Content

29 Answered Questions

[SOLVED] Disable same origin policy in Chrome

12 Answered Questions

[SOLVED] Is there a link to the "latest" jQuery library on Google APIs?

3 Answered Questions

[SOLVED] What is the threat model for the same origin policy?

3 Answered Questions

2 Answered Questions

2 Answered Questions

[SOLVED] How Same-origin policy works?

1 Answered Questions

Same origin policy javascript

11 Answered Questions

[SOLVED] Ways to circumvent the same-origin policy

4 Answered Questions

[SOLVED] Same origin policy

3 Answered Questions

[SOLVED] How can I get all values of a mysql table in JSON from a php script?

Sponsored Content