Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why is the HTML SCRIPT tag not subject to the same origin policy

I am asking this questions because we will develop an application that is supposed to share cross origin data via javascript. One possible solution seems JSONP as it uses SCRIPT tags pull data from other domains. However, I would like to avoid the situation that we implement our awesome code on the assumption that the SCRIPT tag is not subject to sop and at some point browsers prohibit this functionality.

Can anybody shed some light on what is the reason for the SCRIPT tag to allow cross domain requests?

like image 996
moritz Avatar asked May 10 '12 08:05

moritz


People also ask

Does it matter where script tag is in HTML?

The script tag should always be used before the body close or at the bottom in HTML file. The Page will load with HTML and CSS and later JavaScript will load.

Why do we need same-origin policy for the web?

The same-origin policy is a critical security mechanism that restricts how a document or script loaded by one origin can interact with a resource from another origin. It helps isolate potentially malicious documents, reducing possible attack vectors.

How do you solve the same-origin policy?

Changing Origin Occasionally, the same origin policy may block requests between subdomains on the same domain. The easiest way to solve this problem is to set document. domain from within JavaScript.

What is same-origin policy and cross site scripting?

Cross-site scripting (also known as XSS) is a web security vulnerability that allows an attacker to compromise the interactions that users have with a vulnerable application. It allows an attacker to circumvent the same origin policy, which is designed to segregate different websites from each other.


2 Answers

I suppose this draft titled "Principles of the Same-Origin Policy" explains (albeit briefly) what's pretty much in everyone's head:

In principle, user agents could treat every URL as a separate principal and isolate each document from every other URL unless the document explicitly indicated that it trusted that URL. Unfortunately, this design is cumbersome for developers because web applications often consist of a number of resource acting in concert.

As an approximation, user agents group URLs together into protection domains called origins. In particular, two URLs are part of the same origin (i.e., represent the same principal) if they have the same scheme, host, and port.

In short: it would be much harder to build the Web if everything was subject to SOP.

like image 100
Jon Avatar answered Oct 08 '22 21:10

Jon


The reason is because of legacy. It was built that way many years ago and if it changes now, too many sites will fail. Plus the security implications are well known, since it has been around for so long.

like image 26
Kernel James Avatar answered Oct 08 '22 20:10

Kernel James