Is google AJAX Libraries API bypassing same origin policy?

views:

576

answers:

+4 Q:

Is google AJAX Libraries API bypassing same origin policy?

From: https://developer.mozilla.org/En/Same_origin_policy_for_JavaScript

The same origin policy prevents a document or script loaded from one  
origin from getting or setting properties of a document from another origin.
This policy dates all the way back to Netscape Navigator 2.0.

So why is not the same origin policy enforced?, when a have a script tag like this:

<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js">&lt;/script>

I'm sure I'm missing 'something', I've read
http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy
a bunch of times but can not figure out...

Scripts are not documents. They run in the context of the document that includes the <script> element.

David Dorward 2009-07-23 11:03:19

Can you point me to a reference where this is explained more clearly, from above: ...prevents a document OR script...

Cesar 2009-07-23 11:06:21

+4 A:

HTML can load from wherever it likes, it's another script running on the page that can't fetch documents from another origin.

Sam Hasler 2009-07-23 11:03:58

That's the kind of answer a like. Simple but concise.

Cesar 2009-07-23 11:08:45

What Cesar said :-) It's also worth pointing out that the same-origin policy applies to the domain of the page, not the script: a script loaded from example.net by a page at example.com will only be able to access example.com, not example.net.

NickFitz 2009-07-23 11:22:42

<script> tags are an exception to this rule. A page is allowed to "invite" a script from another server, and that's considered OK.

(The whole economy of the internet - on-page advertising - is based on this being allowed! Although it does represent a security risk, it's not going to change any time soon.)

RichieHindle 2009-07-23 11:07:37

ansaurus

tags:

views:

answers:

Is google AJAX Libraries API bypassing same origin policy?

related questions