How Come a CDN or External JavaScript File works in a Web Site?

Question

First off, I\'m embarassed that I don\'t know this. I know these things work, but just not sure why. There is something I still don\'t get about CDNs and stuff like Google Analy

Answer 1

You're misunderstanding these policies.

SOP prevents a page (such as in a frame) from interacting with a page from a different domain, or from reading a resource (AJAX request) in a different domain.

There is nothing wrong with a script from a different domain executing in your page, as long as you explicitly load it. (that's how JSONP works) However, you can't read the script's source, since that's a resource from a different domain.

Browser security restrictions are based on the source of the page executing the code, not the site that a particular <script> came from.

---

Note that including Javascript from a different domain grants that script full access to your page; it can send AJAX requests (to your domain) and steal information by sending non-AJAX requests to other domains.

Only include a script from a different domain if you trust that domain.