Why is the 'src' attribute allowed to refer to scripts from external domains, but XmlHtppRequests not?

Question

Why is the 'src' attribute allowed to refer to scripts from external domains, but XmlHtppRequests not?

I read several answers on StackOverflow regarding the same origin policy, but I don't seem to be collecting the essential part.

In all tags that use the attribute src

, like <script>

and <img>

, you are allowed to use external resources (from a different domain).

Why is this allowed, but with XMLHttpRequest (like AJAX calls) it is not. I don't seem to understand why the latter is more dangerous.

I mean, you can also have malicious code in an external source, for example: <script src="http://example.com/malicious_script.js"></script>

+3

javascript cors xmlhttprequest

Rempargo Dec 17. '14 at 6:26

source to share

1 answer

Alexandre vicente · Answer 1 · 2015-06-25T05:08:03+0000

The same origin policy aims to protect the remote server's data from an unknown client, not to protect the client from malicious code from the server. Tags <script>

prevent the client from making non-GET requests or receiving data that is not explicitly displayed by the server in a valid JavaScript file.

Why is the 'src' attribute allowed to refer to scripts from external domains, but XmlHtppRequests not?

More articles: