问题
I have read several answers on StackOverflow regarding same-origin policy, but I don't seem to graps the essential part.
In all tags that use the src attribute, like <script> and <img>, you are allowed to use external resources (from another domain).
Why is this allowed, but with a XMLHttpRequest (e.g. AJAX calls) it is not. I do not seem to graps why the latter is more dangerous.
I mean, you could also have malicious code in an external source like:
<script src="http://example.com/malicious_script.js"></script>
回答1:
The same-origin policy aims to protect the remote server's data from an unknown client, not to protect the client from malicious code from the server. <script> tags do not allow the client to make requests other than GETs or to obtain data that is not explicitly exposed by the server in a valid JavaScript file.
来源:https://stackoverflow.com/questions/27519546/why-is-the-src-attribute-allowed-to-link-to-scripts-from-external-domains-and