Why do browsers allow cross-domain JavaScript to execute but not XMLHttpRequests?
7th December 2010
My answer to Why do browsers allow cross-domain JavaScript to execute but not XMLHttpRequests? on Quora
It’s called the Same Origin Policy, and it’s principally about intranets. Imagine you have a URL http://intranet.corp/top-secret-...—and you then visit http://evil.example.com/ . If cross domain XHR was allowed the evil site could suck that secret document off your intranet without you realising.
JavaScript should really have the same restrictions (I shouldn’t be able to load http://intranet.corp/top-secret-... ) but as I understand it no one spotted the problem until the entire Internet economy was already dependent on externally hosted scripts as a business model.
More recent articles
- The last six months in LLMs, illustrated by pelicans on bicycles - 6th June 2025
- Tips on prompting ChatGPT for UK technology secretary Peter Kyle - 3rd June 2025
- How often do LLMs snitch? Recreating Theo's SnitchBench with LLM - 31st May 2025