Why do browsers allow cross-domain JavaScript to execute but not XMLHttpRequests?
7th December 2010
My answer to Why do browsers allow cross-domain JavaScript to execute but not XMLHttpRequests? on Quora
It’s called the Same Origin Policy, and it’s principally about intranets. Imagine you have a URL http://intranet.corp/top-secret-...—and you then visit http://evil.example.com/ . If cross domain XHR was allowed the evil site could suck that secret document off your intranet without you realising.
JavaScript should really have the same restrictions (I shouldn’t be able to load http://intranet.corp/top-secret-... ) but as I understand it no one spotted the problem until the entire Internet economy was already dependent on externally hosted scripts as a business model.
More recent articles
- Weeknotes: Embeddings, more embeddings and Datasette Cloud - 17th September 2023
- Build an image search engine with llm-clip, chat with models with llm chat - 12th September 2023
- LLM now provides tools for working with embeddings - 4th September 2023
- Datasette 1.0a4 and 1.0a5, plus weeknotes - 30th August 2023
- Making Large Language Models work for you - 27th August 2023
- Datasette Cloud, Datasette 1.0a3, llm-mlc and more - 16th August 2023
- How I make annotated presentations - 6th August 2023
- Weeknotes: Plugins for LLM, sqlite-utils and Datasette - 5th August 2023
- Catching up on the weird world of LLMs - 3rd August 2023
- Run Llama 2 on your own Mac using LLM and Homebrew - 1st August 2023