First off, I'm embarassed that I don't know this. I know these things work, but just not sure why. There is something I still don't get about CDNs and stuff like Google Analytics or Adsense.
If these scripts are coming from a domain other than your site's domain how does this all tie in with same origin policy (SOP) and cross-site scripting (XSS)? From what I understand about XSS and SOP, these scripts just shouldn't be able to run or interact with the DOM in your site. How come they are given special privileges? And how are these special privileges differentiated from other external scripts that cause errors in browsers due to XSS and SOP?
In a nutshell, I want to know why scripts from another domain are allowed to run, interact with and manipulate my site?
First off, I'm embarassed that I don't know this. I know these things work, but just not sure why. There is something I still don't get about CDNs and stuff like Google Analytics or Adsense.
If these scripts are coming from a domain other than your site's domain how does this all tie in with same origin policy (SOP) and cross-site scripting (XSS)? From what I understand about XSS and SOP, these scripts just shouldn't be able to run or interact with the DOM in your site. How come they are given special privileges? And how are these special privileges differentiated from other external scripts that cause errors in browsers due to XSS and SOP?
In a nutshell, I want to know why scripts from another domain are allowed to run, interact with and manipulate my site?
Share Improve this question edited Oct 27, 2011 at 15:35 nickytonline asked Oct 27, 2011 at 15:27 nickytonlinenickytonline 6,9817 gold badges46 silver badges76 bronze badges 2- 1 related: stackoverflow.com/questions/12543978/… – GibboK Commented Jan 4, 2016 at 14:29
- 1 also related: stackoverflow.com/questions/11991915/… – GibboK Commented Jan 4, 2016 at 14:32
1 Answer
Reset to default 23You're misunderstanding these policies.
SOP prevents a page (such as in a frame) from interacting with a page from a different domain, or from reading a resource (AJAX request) in a different domain.
There is nothing wrong with a script from a different domain executing in your page, as long as you explicitly load it. (that's how JSONP works) However, you can't read the script's source, since that's a resource from a different domain.
Browser security restrictions are based on the source of the page executing the code, not the site that a particular <script> came from.
Note that including Javascript from a different domain grants that script full access to your page; it can send AJAX requests (to your domain) and steal information by sending non-AJAX requests to other domains.
Only include a script from a different domain if you trust that domain.