Can an included script hosted on a different domain access localstorage from current domain

Question

Is it possible for an included script that is hosted on a different domain to access the local storage of the current domain? This still remains unclear for me after reading https://developer.mozilla.org/de/docs/Web/API/Window/localStorage

For example: mydomain.com includes <script src="https://www.youtube.com/iframe_api" async></script>. Can this included script access the localstorage from mydomain.com?

Answer 1

Scripts you include in your page using <script> can definitely access Local storage, they are running in same origin as your other scripts. This is also the reason behind advisories on not to store authentication tokens inside Local storage, because an injected script using an XSS attack can read and write to the Local storage.

This is however different for an <iframe> since they have their own origin.