24

I want to serve my JavaScript scripts from a CDN like cloudflare.

Now my scripts communicate with my app server via ajax. Wouldn't the same-origin policy restrictions come into play when I load these scripts from a CDN?

Let's say my app is on the domain:

http://app.com

And I load my scripts from

http://cdn.com/xyz/all.js

Now, since my scripts are loaded from a different domain than the domain my app is running from, I guess the same origin policy would prevent me from doing ajax communication with my app.

Am I getting something wrong?

treecoder
  • 43,129
  • 22
  • 67
  • 91

1 Answers1

23

No, it will work. That's why JSONP works. The "origin" of the script is the page it is executed in, not where it comes from.

As you asked for it, here's a reference (I couldn't find any better, but Crockford is well known)

The src attribute, surprisingly, is not constrained by the Same Origin Policy. This means that a script element can be created which can go to any server, fetch a script, and execute it. If the script causes the delivery of JSON-encoded data, then this is a very useful thing. Unfortunately, there is no way to constrain the script or to inspect it before it executes. It runs with the same authority as scripts from the page. So the script can access and use its cookies. It can access the originating server using the user's authorization. It can inspect the DOM and the JavaScript global object, and send any information it finds anywhere in the world. The Script Tag Hack is not secure and should be avoided.

http://javascript.crockford.com/script.html

Not really a reference: If this wouldn't work, nobody could include jQuery from Google's CDN and then use it's $.ajax method.

treecoder
  • 43,129
  • 22
  • 67
  • 91
Prinzhorn
  • 22,120
  • 7
  • 61
  • 65
  • The reason JSONP works is because you can **GET** scripts from anywhere. But what I need to do is **POST** to a server having different domain than the origin of the script. Please clarify your answer a bit more – treecoder Sep 22 '12 at 13:02
  • Now you're mixing two things. Your script is fetched using *GET* from the CDN. After that, it lives in the domain of app.com – Prinzhorn Sep 22 '12 at 13:03
  • I don't know what I am not getting here, but a script loaded from domain A can NOT send data to domain B right? If I am right, how can a script loaded from CDN talk to a completely different domain of the app server? – treecoder Sep 22 '12 at 13:09
  • Replace "loaded from" with "execute in" and your statement is correct. The script tag lives in YOUR document (ajax is part of DOM) and the loaded script is part of YOUR domain, not the CDN's. – Prinzhorn Sep 22 '12 at 13:12
  • OK, so that means same-origin policy applies ONLY to the execution of the code, and not it's loading? Code loaded from domain X into a domain Y can talk to any domain in the world, but it can not access the code loaded from domain Z into Y. That's the same origin policy -- am I right? – treecoder Sep 22 '12 at 13:15
  • 9
    Code loaded from domain X into a domain Y can only make AJAX requests to Y. – balafi Sep 22 '12 at 13:18
  • 1
    Loading a script using the script tag's `src` attribute has nothing to do with loading data using `XmlHttpRequest`. – Prinzhorn Sep 22 '12 at 13:20
  • @Elias are you saying that code loaded from X into Y can not talk to X itself? – treecoder Sep 22 '12 at 13:23
  • Because the script runs in Y (no matter where it came from...) and thus can talk to Y. – Prinzhorn Sep 22 '12 at 13:24
  • OK so there's two things: the domain that script comes **FROM** and the domain it comes **INTO**. And, a script can talk to both the domains: from and into -- right? – treecoder Sep 22 '12 at 13:26
  • 1
    Let me put this straight: **origin** (as in same origin policy) refers to the **document**. A script lives inside exactly **one** document (no matter how it got there) and the document comes from **one** domain. – Prinzhorn Sep 22 '12 at 13:32
  • 1
    So, once the script lives in the domain of the document, it can talk to that domain regardless of the domain the script itself comes from? – treecoder Sep 22 '12 at 13:39
  • yes, I think you got it right now. You ll understand this better if you actually try it – balafi Sep 22 '12 at 13:51