It's mon practice to include scripts from other origins with script tags but when you use fetch calls on other origins then everything must be configured carefully other wise you will get a CORS error.
Does the script tag somehow bypass CORS? How does that work?
It's mon practice to include scripts from other origins with script tags but when you use fetch calls on other origins then everything must be configured carefully other wise you will get a CORS error.
Does the script tag somehow bypass CORS? How does that work?
Share Improve this question asked Aug 14, 2020 at 22:45 ThomasThomas 6,1968 gold badges47 silver badges82 bronze badges 2- Are you asking why it's allowed to load the script from another origin, or are you suggesting that the remote scripts will try to fetch other data from their sites? – Barmar Commented Aug 14, 2020 at 22:53
- @Barmar the first one. – Thomas Commented Aug 14, 2020 at 23:03
2 Answers
Reset to default 4The Same Origin Policy prevents JavaScript reading data from other origins without permission (which is usually provided by CORS).
Running JavaScript from other origins is not prevented by the Same Origin Policy (nor is loading stylesheets, displaying images, content in iframes, etc).
JavaScript in the page can't (usually) read sensitive data from other origins through those methods in the first place.
It depends, if you are trying to load a Javascript module (i.e. <script type="module" > ) then you need a CORS enabled server, if the src is on a different origin. Otherwise no. i.e.
<!-- Not a CORS request -->
<script src="https://example./script.js"></script>
<!-- CORS request -->
<script type="module" src="https://example./script.js"></script>
Note, you can add crossorigin attribute to the first one, to ask browser to treat it as a CORS request.
you can find more here : https://jakearchibald./2021/cors/