What is the reason/background that the <script> tag is not part of the Same origin Policy

Question

The last months I read a lot about the Same Origin Policy of browsers and Cross Domain Requests.

All the time I am wondering, for what reasons the <script> tag is not part of it? I found the question to be asked several times, also here on stackoverflow, but all replies didn't answer why it isn't part of it.

Is this due to historical reasons or what is the background behind this idea?

I hope somebody can help me with this question.

Answer 1

I don't know they reasons that it was decided that foreign <script> didn't need to be blocked, but there are many benefits of that decision.

• Not all scripts have to be hosted on your own site, and, as a corollary,
• scripts can be hosted by content delivery networks that can deliver them faster and allow the client to use cached versions of popular scripts.
• Foreign scripts allow us to have cross-domain AJAX requests via JSONP.

Also, script tags historically predate the Same Origin Policy, so it would make sense that scripts could reference files not necessarily hosted by the same site, to be consistent with how the a, img, embed, frame and other tags also did.