Sunday, November 18, 2018

Vulnerability of embeding a third-party script

The web’s security rests on the Same Origin Policy.
However, if a publisher directly embeds a third-party script, rather than isolating it in an iframe, the script is treated as coming from the publisher’s origin. Thus, the publisher (and its users) entirely lose the protections of the same origin policy.