Simon Willison’s Weblog

Subscribe

Why do browsers allow cross-domain JavaScript to execute but not XMLHttpRequests?

7th December 2010

My answer to Why do browsers allow cross-domain JavaScript to execute but not XMLHttpRequests? on Quora

It’s called the Same Origin Policy, and it’s principally about intranets. Imagine you have a URL http://intranet.corp/top-secret-...—and you then visit http://evil.example.com/ . If cross domain XHR was allowed the evil site could suck that secret document off your intranet without you realising.

JavaScript should really have the same restrictions (I shouldn’t be able to load http://intranet.corp/top-secret-... ) but as I understand it no one spotted the problem until the entire Internet economy was already dependent on externally hosted scripts as a business model.

Posted 7th December 2010 at 1:37 pm · Follow me on Mastodon, Bluesky, Twitter or subscribe to my newsletter

More recent articles

This is Why do browsers allow cross-domain JavaScript to execute but not XMLHttpRequests? by Simon Willison, posted on 7th December 2010.

Next: What are the underlying, unspoken values of TED?

Previous: What are some scalable OAuth and OpenID server implementations?