CSS, and dynamically loaded scripts can be accessed across origins via the corresponding HTML tags (with fonts being a notable exception). Attacks take advantage of the fact that the same origin policy does not apply to HTML tags.

There are some mechanisms available to relax the SOP; one of them is cross-origin resource sharing (CORS).

History

The concept of same-origin policy was introduced by Netscape Navigator 2.02 in

1.Previous
3.Next