Stack Overflow
Stack Overflow

What is the reason/background that the – deceze Jan 13 '13 at 16:13

  • Sorry I didn't express myself good enough, my english isn't the best. I meant, that the scripts within the – Any1 Jan 13 '13 at 16:23
  • @deceze: It's plain to see on any website that, say, loads jQuery from Google. Like _this one_. – Lightness Races in Orbit Jan 13 '13 at 16:24
  • @Lightness I know what *cross-site-script-inclusion* is, I'm asking the OP to clarify why he thinks scripts are exempt from the Same Origin Policy. – deceze Jan 13 '13 at 16:26
  • @deceze I think scripts are exempt from the policy, because cross-site-script-inclusion is possible as you just stated. – Any1 Jan 13 '13 at 16:42
  • Just like external image or CSS resources can be included. Maybe you're misunderstanding what the Same Origin Policy covers. – deceze Jan 13 '13 at 16:46
  • @deceze I think he understands what it covers, he's asking *why* it doesn't cover external scripts. – Peter Olson Jan 13 '13 at 16:51
  • Yes i know what it covers and what it doesn't cover, but I am interested in the reasons and intentions behind it – Any1 Jan 13 '13 at 17:15
  • Honestly, my guess is that browsers did things in the very early days before the repercussions of the same-origin policy were fully understood. At a certain point this behavior became so wide-spread it would be impossible to revert or alter. – monsur Jan 14 '13 at 17:13
  • @monsur also for me it seems like the most logic explanation, but I'd like to know it for sure ;) – Any1 Jan 16 '13 at 16:57
  • @LightnessRacesinOrbit Can we chat, I have some doubts regarding this. – Suraj Jain May 29 '18 at 08:57
  • @deceze SOP main purpose or sole purpose is to not let other origin javascript read the responses, request can always be made, but we cannot read the response. Am I right? – Suraj Jain May 29 '18 at 08:58

    • 3 Answers3

    1

    I don't know they reasons that it was decided that foreign <script> didn't need to be blocked, but there are many benefits of that decision.

    • Not all scripts have to be hosted on your own site, and, as a corollary,
    • scripts can be hosted by content delivery networks that can deliver them faster and allow the client to use cached versions of popular scripts.
    • Foreign scripts allow us to have cross-domain AJAX requests via JSONP.

    Also, script tags historically predate the Same Origin Policy, so it would make sense that scripts could reference files not necessarily hosted by the same site, to be consistent with how the a, img, embed, frame and other tags also did.

    Peter Olson
    • 139,199
    • 49
    • 202
    • 242
    • 1
      I did a little bit more research and found out, that the ` – Any1 Jan 16 '13 at 16:55
    • It should be noted that with HTTP2 the use of CDNs should be carefully considered as it may mean extra DNS lookups and certainly means extra connections (HTTP2 makes only one connection to the server usually). – Richard Sep 27 '17 at 10:17
    • Script is blocked for the most mime-types. Not even "plain/text" is allowed to read externally. Script can hold accessible static data only if src is not used. If src is used the code can not be accessed. –  Aug 04 '19 at 23:53
    0

    Certainly part of the reason is that the <script> tag is much older than the same origin policy, so preventing its use would break a lot of web pages.

    I believe the other reason is that the same original policy works to prevent information from being accessed by a different origin than it was created in. The script tag doesn't permit information to be sent to its origin, or at least, no more information than any other GET request such as <style> or <img> would.

    Charles Engelke
    • 5,569
    • 1
    • 29
    • 26
    • But the information that also any other GET request such as ` – Any1 Jan 13 '13 at 16:33
    • @Boka A GET request *should not* be harmful. GET requests should not alter any state. And if included scripts could not interact with the current page, they'd be pretty useless. They're secure insofar as *you* have to include them in your site, so it's up to you whether you trust the scripts you include. – deceze Jan 13 '13 at 16:43
    -2

    Though there are likely ways around it, script tag src parameters are generally fixed values set in your static HTML. Both historically and even now in terms of security risks, there's not much concern over cross-domain script requests in this fashion. On the other hand, there is certainly a large benefit in allowing it — CDNs for script downloads, jQuery hosted on the cloud, etc. There's also backward-compatibility to consider.

    This is not quite as true for AJAX requests, where the script URL may (and often does) come from user input or other dynamic state. On average, the barrier to entry for breaking this is much lower than for breaking a script tag, where "breaking" = "causing a security breach".

    • Source: guessing
    Lightness Races in Orbit
    • 378,754
    • 76
    • 643
    • 1,055