Why do browsers allow cross-domain JavaScript to execute but not XMLHttpRequests?
7th December 2010
My answer to Why do browsers allow cross-domain JavaScript to execute but not XMLHttpRequests? on Quora
It’s called the Same Origin Policy, and it’s principally about intranets. Imagine you have a URL http://intranet.corp/top-secret-...—and you then visit http://evil.example.com/ . If cross domain XHR was allowed the evil site could suck that secret document off your intranet without you realising.
JavaScript should really have the same restrictions (I shouldn’t be able to load http://intranet.corp/top-secret-... ) but as I understand it no one spotted the problem until the entire Internet economy was already dependent on externally hosted scripts as a business model.
More recent articles
- Maybe Meta's Llama claims to be open source because of the EU AI act - 19th April 2025
- Image segmentation using Gemini 2.5 - 18th April 2025
- GPT-4.1: Three new million token input models from OpenAI, including their cheapest model yet - 14th April 2025