views:

576

answers:

3

From: https://developer.mozilla.org/En/Same_origin_policy_for_JavaScript

The same origin policy prevents a document or script loaded from one  
origin from getting or setting properties of a document from another origin.
This policy dates all the way back to Netscape Navigator 2.0.

So why is not the same origin policy enforced?, when a have a script tag like this:

<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js">&lt;/script>

I'm sure I'm missing 'something', I've read
http://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy
a bunch of times but can not figure out...

A: 

Scripts are not documents. They run in the context of the document that includes the <script> element.

David Dorward
Can you point me to a reference where this is explained more clearly, from above: ...prevents a document OR script...
Cesar
+4  A: 

HTML can load from wherever it likes, it's another script running on the page that can't fetch documents from another origin.

Sam Hasler
That's the kind of answer a like. Simple but concise.
Cesar
What Cesar said :-) It's also worth pointing out that the same-origin policy applies to the domain of the page, not the script: a script loaded from example.net by a page at example.com will only be able to access example.com, not example.net.
NickFitz
A: 

<script> tags are an exception to this rule. A page is allowed to "invite" a script from another server, and that's considered OK.

(The whole economy of the internet - on-page advertising - is based on this being allowed! Although it does represent a security risk, it's not going to change any time soon.)

RichieHindle