Why do browsers allow cross-domain JavaScript to execute but not XMLHttpRequests?
7th December 2010
My answer to Why do browsers allow cross-domain JavaScript to execute but not XMLHttpRequests? on Quora
It’s called the Same Origin Policy, and it’s principally about intranets. Imagine you have a URL http://intranet.corp/top-secret-...—and you then visit http://evil.example.com/ . If cross domain XHR was allowed the evil site could suck that secret document off your intranet without you realising.
JavaScript should really have the same restrictions (I shouldn’t be able to load http://intranet.corp/top-secret-... ) but as I understand it no one spotted the problem until the entire Internet economy was already dependent on externally hosted scripts as a business model.
More recent articles
- Watching o3 guess a photo's location is surreal, dystopian and wildly entertaining - 26th April 2025
- Exploring Promptfoo via Dave Guarino's SNAP evals - 24th April 2025
- AI assisted search-based research actually works now - 21st April 2025