Other domains don't necessarily have cooties
April 7, 2010 8:29 AM Subscribe
Why does the cross-domain restriction exist on the XMLHttpRequest object?
Plenty of sites explain that the XMLHttpRequest object cannot fetch data from a different domain for security reasons. This makes plenty of sense.
However, there is no such restriction on the script tag/element. It's trivial to write out a script tag via the DOM and fetch any old script that was necessary. In fact, from what I understand that's how JSONP works (with the support of a remote script) to circumvent the cross-domain restriction.
If the cross-domain restriction is easily circumvented, isn't it simply a roadblock on the path of legitimate developers?