Why is the 'src' attribute allowed to link to scripts from external domains, and XmlHtppRequests not?

Question

I have read several answers on StackOverflow regarding same-origin policy, but I don't seem to graps the essential part.

In all tags that use the src attribute, like <script> and <img>, you are allowed to use external resources (from another domain).

Why is this allowed, but with a XMLHttpRequest (e.g. AJAX calls) it is not. I do not seem to graps why the latter is more dangerous.

I mean, you could also have malicious code in an external source like: <script src="http://example.com/malicious_script.js"></script>

Answer 1

The same-origin policy aims to protect the remote server's data from an unknown client, not to protect the client from malicious code from the server. <script> tags do not allow the client to make requests other than GETs or to obtain data that is not explicitly exposed by the server in a valid JavaScript file.