Why is the 'src' attribute allowed to refer to scripts from external domains, but XmlHtppRequests not?
I read several answers on StackOverflow regarding the same origin policy, but I don't seem to be collecting the essential part.
In all tags that use the attribute src
, like <script>
and <img>
, you are allowed to use external resources (from a different domain).
Why is this allowed, but with XMLHttpRequest (like AJAX calls) it is not. I don't seem to understand why the latter is more dangerous.
I mean, you can also have malicious code in an external source, for example:
<script src="http://example.com/malicious_script.js"></script>
source to share
The same origin policy aims to protect the remote server's data from an unknown client, not to protect the client from malicious code from the server. Tags <script>
prevent the client from making non-GET requests or receiving data that is not explicitly displayed by the server in a valid JavaScript file.
source to share