18

First off, I'm embarassed that I don't know this. I know these things work, but just not sure why. There is something I still don't get about CDNs and stuff like Google Analytics or Adsense.

If these scripts are coming from a domain other than your site's domain how does this all tie in with same origin policy (SOP) and cross-site scripting (XSS)? From what I understand about XSS and SOP, these scripts just shouldn't be able to run or interact with the DOM in your site. How come they are given special privileges? And how are these special privileges differentiated from other external scripts that cause errors in browsers due to XSS and SOP?

In a nutshell, I want to know why scripts from another domain are allowed to run, interact with and manipulate my site?

nickytonline
  • 6,855
  • 6
  • 42
  • 76
  • 1
    related: http://stackoverflow.com/questions/12543978/same-origin-policy-and-serving-js-from-a-cdn – GibboK Jan 04 '16 at 14:29
  • 1
    also related: http://stackoverflow.com/questions/11991915/why-doesnt-this-javascript-call-break-the-same-origin-policy – GibboK Jan 04 '16 at 14:32

1 Answers1

23

You're misunderstanding these policies.

SOP prevents a page (such as in a frame) from interacting with a page from a different domain, or from reading a resource (AJAX request) in a different domain.

There is nothing wrong with a script from a different domain executing in your page, as long as you explicitly load it. (that's how JSONP works) However, you can't read the script's source, since that's a resource from a different domain.

Browser security restrictions are based on the source of the page executing the code, not the site that a particular <script> came from.

Note that including Javascript from a different domain grants that script full access to your page; it can send AJAX requests (to your domain) and steal information by sending non-AJAX requests to other domains.

Only include a script from a different domain if you trust that domain.

SLaks
  • 868,454
  • 176
  • 1,908
  • 1,964
  • 1
    Thanks for clarifying SOP, but I still don't get the non-XSS issue with CDNs and stuff like Google Analytics. – nickytonline Oct 27 '11 at 15:30
  • XSS is an injection attack. What do you mean? – SLaks Oct 27 '11 at 15:31
  • Maybe, I've worded my question wrong. What I want to know is why are scripts from another domain allowed to run and manipulate my site? – nickytonline Oct 27 '11 at 15:33
  • 1
    @nickyt because the **page** from your domain explicitly requested that the browser load and execute the script. – Pointy Oct 27 '11 at 15:36
  • @Pointy - That's all I neeeded to hear. – nickytonline Oct 27 '11 at 15:39
  • @Pointy - What about dynamically adding scripts after the page has loaded? Will that only work for same domain scripts and cause external domain scripts to be rejected, or will it allow all scritps that I add because that JavaScript was run from a script in my site? – nickytonline Oct 27 '11 at 15:44
  • 3
    The script code has full access to your DOM, so it can mess with it in ways that include adding ` – Pointy Oct 27 '11 at 15:48
  • 1
    @nickyt: You can add ` – SLaks Oct 27 '11 at 15:49