Same-Origin Policy and serving JS from a CDN

Question

I want to serve my JavaScript scripts from a CDN like cloudflare.

Now my scripts communicate with my app server via ajax. Wouldn\'t the same-origin policy restrictio

Answer 1

No, it will work. That's why JSONP works. The "origin" of the script is the page it is executed in, not where it comes from.

As you asked for it, here's a reference (I couldn't find any better, but Crockford is well known)

The src attribute, surprisingly, is not constrained by the Same Origin Policy. This means that a script element can be created which can go to any server, fetch a script, and execute it. If the script causes the delivery of JSON-encoded data, then this is a very useful thing. Unfortunately, there is no way to constrain the script or to inspect it before it executes. It runs with the same authority as scripts from the page. So the script can access and use its cookies. It can access the originating server using the user's authorization. It can inspect the DOM and the JavaScript global object, and send any information it finds anywhere in the world. The Script Tag Hack is not secure and should be avoided.

http://javascript.crockford.com/script.html

Not really a reference: If this wouldn't work, nobody could include jQuery from Google's CDN and then use it's $.ajax method.