Demystifying JavaScript's Same-Origin Policy: A Beginner's Guide

Welcome, aspiring web developers! Ever wondered why sometimes your JavaScript code seems to be blocked from accessing data from another website, even though everything looks perfectly fine? Or perhaps you’ve encountered frustrating errors related to “CORS” (Cross-Origin Resource Sharing)? The answer often lies in the Same-Origin Policy (SOP), a fundamental security mechanism in web browsers. In this comprehensive guide, we’ll unravel the mysteries of the SOP, understand its purpose, and learn practical techniques to work with it effectively. This tutorial is designed for beginners and intermediate developers who want to master this essential concept and write secure, robust web applications.

What is the Same-Origin Policy?

At its core, the Same-Origin Policy is a security feature implemented by web browsers to restrict how a website interacts with resources from a different origin. An origin is defined by the combination of three things: the protocol (e.g., `http` or `https`), the domain (e.g., `example.com`), and the port (e.g., `80` or `443`). If two websites have the same protocol, domain, and port, they are considered to be on the same origin. Otherwise, they are on different origins, and the SOP kicks in.

Think of it like this: imagine your browser as a secure vault. The SOP is the security guard that controls who can access the contents of the vault. Only websites from the same origin (the same vault) are allowed free access. Websites from different origins (different vaults) are treated with caution, and their access is restricted to prevent malicious activities like cross-site scripting (XSS) attacks, where a malicious script could steal user data.

Let’s illustrate with some examples:

`https://www.example.com` and `https://www.example.com` – Same origin.
`http://www.example.com` and `https://www.example.com` – Different origins (different protocols).
`www.example.com` and `example.com` – Different origins (technically, different domains, even if one redirects to the other).
`https://www.example.com:8080` and `https://www.example.com:80` – Different origins (different ports).
`https://subdomain.example.com` and `https://example.com` – Different origins (different subdomains).

Why is the Same-Origin Policy Important?

The SOP is crucial for web security. Without it, a malicious website could potentially:

Read sensitive data from other websites (e.g., your bank account details).
Modify data on other websites (e.g., change your password).
Perform actions on other websites on your behalf (e.g., make unauthorized purchases).

By restricting cross-origin interactions, the SOP helps to protect users from these types of attacks. It’s a fundamental building block of web security, and understanding it is essential for any web developer.

How Does the Same-Origin Policy Work?

The SOP primarily affects how JavaScript code can access resources from different origins. Specifically, it restricts:

**Reading data:** JavaScript code on one origin cannot directly read data from another origin’s response (e.g., using `XMLHttpRequest` or `fetch`).
**Writing data:** JavaScript code on one origin cannot directly modify data on another origin, unless explicitly allowed (e.g., using CORS).
**Accessing cookies and local storage:** JavaScript code on one origin is typically restricted from accessing cookies and local storage set by another origin.

The browser enforces these restrictions by blocking certain requests or operations. When a cross-origin request is made, the browser checks if it’s allowed based on the SOP and, if necessary, the CORS configuration of the target server. If the request is not allowed, the browser will typically log an error to the console and prevent the request from completing.

Common Scenarios Where You’ll Encounter the SOP

You’ll frequently bump into the SOP in these scenarios:

**Making API calls to a different domain:** When your JavaScript code needs to fetch data from a third-party API hosted on a different domain.
**Embedding content from other websites:** When you try to embed an `` or load resources like images, scripts, or stylesheets from a different origin.</li> <li>**Working with multiple subdomains:** When you want to share data between your main domain and its subdomains (e.g., `api.example.com` and `www.example.com`).</li> <li>**Developing Single-Page Applications (SPAs):** SPAs often interact with APIs on different origins, making the SOP a constant consideration.</li> </ul> <h2>Working with the Same-Origin Policy: Solutions and Techniques</h2> <p>While the SOP is restrictive, there are several techniques to work with it and enable cross-origin communication when necessary. Let’s explore some of the most common ones:</p> <h3>1. Cross-Origin Resource Sharing (CORS)</h3> <p>CORS is the most common and recommended way to handle cross-origin requests. It allows a server to specify which origins are permitted to access its resources. It works by adding special HTTP headers to the server’s responses.</p> <p>Here’s how it works:</p> <ol> <li>**The browser sends a preflight request (OPTIONS) (for certain types of requests):** Before making the actual cross-origin request, the browser might send an `OPTIONS` request to the server to check if it’s allowed.</li> <li>**The server responds with CORS headers:** The server includes specific headers in its response, such as `Access-Control-Allow-Origin`, `Access-Control-Allow-Methods`, and `Access-Control-Allow-Headers`. These headers tell the browser which origins are allowed, which HTTP methods are permitted, and which headers are allowed in the actual request.</li> <li>**The browser checks the headers:** The browser examines the CORS headers in the server’s response. If the headers indicate that the origin of the request is allowed, the browser allows the request to proceed. Otherwise, the browser blocks the request and throws an error.</li> </ol> <p><b>Example (Server-Side – Node.js with Express):</b></p> <pre><code class="language-javascript" data-line="">const express = require('express'); const cors = require('cors'); const app = express(); const port = 3000; // Enable CORS for all origins (for development - not recommended for production) app.use(cors()); // Or, enable CORS for specific origins // const corsOptions = { // origin: 'https://your-allowed-origin.com', // optionsSuccessStatus: 200 // some legacy browsers (IE11, various SmartTVs) choke on 204 // }; // app.use(cors(corsOptions)); app.get('/api/data', (req, res) => { res.json({ message: 'Hello from the server!' }); }); app.listen(port, () => { console.log(`Server listening on port ${port}`); }); </code></pre> <p>In this Node.js example, the `cors()` middleware is used to enable CORS. The simplest form, `cors()`, allows requests from any origin. For production, it’s best to specify the allowed origins using the `origin` option.</p> <p><b>Example (Client-Side – JavaScript):</b></p> <pre><code class="language-javascript" data-line="">async function fetchData() { try { const response = await fetch('http://localhost:3000/api/data'); // Replace with your server's URL if (!response.ok) { throw new Error(`HTTP error! status: ${response.status}`); } const data = await response.json(); console.log(data.message); } catch (error) { console.error('Error fetching data:', error); } } fetchData(); </code></pre> <p>In this client-side example, the `fetch` API is used to make a cross-origin request. If the server has the correct CORS headers, the request will succeed. If not, the browser will block it.</p> <p><b>Common CORS Headers:</b></p> <ul> <li>`Access-Control-Allow-Origin`: Specifies the origins that are allowed to access the resource. Can be a single origin (e.g., `https://example.com`) or the wildcard `*` (which allows all origins – use with caution!).</li> <li>`Access-Control-Allow-Methods`: Specifies the HTTP methods that are allowed (e.g., `GET`, `POST`, `PUT`, `DELETE`).</li> <li>`Access-Control-Allow-Headers`: Specifies the request headers that are allowed (e.g., `Content-Type`, `Authorization`).</li> <li>`Access-Control-Allow-Credentials`: If set to `true`, indicates that the request can include credentials (e.g., cookies, authorization headers). If this is `true`, the `Access-Control-Allow-Origin` cannot be `*`.</li> </ul> <p><b>Important Considerations for CORS:</b></p> <ul> <li>**Server-Side Configuration is Key:** You *must* configure the server to send the appropriate CORS headers. The client-side code cannot magically bypass the SOP.</li> <li>**Security Implications of `*`:** While using `Access-Control-Allow-Origin: *` makes development easier, it’s generally not recommended for production environments. It allows any website to access your resources, which can be a security risk. Instead, specify the exact origins that are allowed.</li> <li>**Preflight Requests:** For certain types of cross-origin requests (e.g., those using methods like `PUT` or `DELETE`, or those with custom headers), the browser sends a preflight `OPTIONS` request to the server before the actual request. The server must respond to the `OPTIONS` request with the appropriate CORS headers.</li> </ul> <h3>2. JSONP (JSON with Padding)</h3> <p>JSONP is a technique that leverages the `<script>` tag to bypass the SOP. It's an older method and less flexible than CORS, but it can still be useful in specific scenarios. It relies on the fact that the `<script>` tag can load resources from any origin.</p> <p>Here's how it works:</p> <ol> <li>**The client makes a request to a server endpoint that supports JSONP.** The request usually includes a callback parameter, which specifies the name of a JavaScript function to be executed when the data is received.</li> <li>**The server responds with a JavaScript file.** The response is not a regular JSON response, but rather a JavaScript file that contains a function call. The function call passes the JSON data as an argument to the callback function specified in the request.</li> <li>**The browser executes the JavaScript file.** The browser executes the JavaScript file, which calls the callback function with the JSON data.</li> </ol> <p><b>Example (Server-Side - using a hypothetical JSONP endpoint):</b></p> <pre><code class="language-javascript" data-line="">// Hypothetical server-side code (simplified) function generateJSONPResponse(data, callback) { return `${callback}(${JSON.stringify(data)});`; } // Example data const data = { message: 'Hello from JSONP!' }; // Construct the JSONP response const jsonpResponse = generateJSONPResponse(data, 'myCallbackFunction'); // Send the response (e.g., via a GET request to /api/jsonp?callback=myCallbackFunction) // In a real implementation, you'd handle parameters and return the response accordingly. </code></pre> <p><b>Example (Client-Side - JavaScript):</b></p> <pre><code class="language-javascript" data-line=""> function myCallbackFunction(data) { console.log(data.message); } // Create a script element const script = document.createElement('script'); // Set the source to the JSONP endpoint, including the callback parameter script.src = 'http://example.com/api/jsonp?callback=myCallbackFunction'; // Append the script element to the document document.head.appendChild(script); // The script will execute, calling myCallbackFunction with the data. </code></pre> <p><b>Pros of JSONP:</b></p> <ul> <li>Works in older browsers that might not fully support CORS.</li> <li>Simple to implement in some cases.</li> </ul> <p><b>Cons of JSONP:</b></p> <ul> <li>Limited to `GET` requests.</li> <li>Less secure than CORS (because it executes arbitrary JavaScript).</li> <li>Requires the server to specifically support JSONP.</li> <li>Error handling can be tricky.</li> </ul> <p><b>When to Use JSONP:</b></p> <p>JSONP is generally considered a legacy technique. It might still be useful in these situations:</p> <ul> <li>You need to support very old browsers.</li> <li>You have no control over the server and cannot configure CORS.</li> <li>The API you're interacting with only supports JSONP.</li> </ul> <h3>3. Proxy Servers</h3> <p>A proxy server acts as an intermediary between your client and the target server. Instead of making the cross-origin request directly from the client, you make the request to your own server (the proxy), which then forwards the request to the target server and returns the response to your client.</p> <p>Here's how it works:</p> <ol> <li>**The client makes a request to your proxy server (same origin).**</li> <li>**Your proxy server forwards the request to the target server (different origin).**</li> <li>**The target server responds to your proxy server.**</li> <li>**Your proxy server forwards the response back to your client (same origin).**</li> </ol> <p><b>Example (Server-Side - Node.js with Express):</b></p> <pre><code class="language-javascript" data-line=""> const express = require('express'); const axios = require('axios'); // You'll need to install axios: npm install axios const app = express(); const port = 3000; app.get('/api/proxy', async (req, res) => { const targetUrl = req.query.url; // Get the target URL from the query parameters if (!targetUrl) { return res.status(400).json({ error: 'Missing target URL' }); } try { const response = await axios.get(targetUrl); res.json(response.data); } catch (error) { console.error('Error proxying request:', error); res.status(500).json({ error: 'Failed to proxy request' }); } }); app.listen(port, () => { console.log(`Proxy server listening on port ${port}`); }); </code></pre> <p><b>Example (Client-Side - JavaScript):</b></p> <pre><code class="language-javascript" data-line=""> async function fetchData() { try { const targetUrl = 'https://api.example.com/data'; // The URL of the external API const proxyUrl = `/api/proxy?url=${encodeURIComponent(targetUrl)}`; // The URL of your proxy server const response = await fetch(proxyUrl); if (!response.ok) { throw new Error(`HTTP error! status: ${response.status}`); } const data = await response.json(); console.log(data); } catch (error) { console.error('Error fetching data:', error); } } fetchData(); </code></pre> <p><b>Pros of Proxy Servers:</b></p> <ul> <li>Bypasses the SOP because the client is making requests to the same origin (your server).</li> <li>Allows you to control and manipulate the requests and responses.</li> <li>Can be used to add authentication or other security measures.</li> </ul> <p><b>Cons of Proxy Servers:</b></p> <ul> <li>Adds complexity to your application (you need to set up and maintain a server).</li> <li>Can introduce latency.</li> <li>Requires you to handle the proxy logic on your server.</li> </ul> <p><b>When to Use Proxy Servers:</b></p> <p>Proxy servers are a good solution when:</p> <ul> <li>You need to access an API that doesn't support CORS.</li> <li>You want to add security or authentication to your API requests.</li> <li>You need to manipulate the requests or responses before sending them to the client.</li> </ul> <h3>4. Using a Server-Side Language (e.g., PHP, Python, Ruby)</h3> <p>Similar to proxy servers, you can use a server-side language to fetch data from a different origin. Your server-side code makes the request to the external API, and then your client-side code fetches the data from your server.</p> <p>The principle is the same as with proxy servers: the client makes a request to your server (same origin), and your server handles the cross-origin request.</p> <p><b>Example (Server-Side - PHP):</b></p> <pre><code class="language-php" data-line=""> <?php $targetUrl = $_GET['url']; if ($targetUrl) { $response = file_get_contents($targetUrl); header('Content-Type: application/json'); // Or whatever content type is appropriate echo $response; } else { http_response_code(400); echo json_encode(['error' => 'Missing URL parameter']); } ?> </code></pre> <p><b>Example (Client-Side - JavaScript):</b></p> <pre><code class="language-javascript" data-line=""> async function fetchData() { try { const targetUrl = 'https://api.example.com/data'; const phpScriptUrl = `your-php-script.php?url=${encodeURIComponent(targetUrl)}`; const response = await fetch(phpScriptUrl); if (!response.ok) { throw new Error(`HTTP error! status: ${response.status}`); } const data = await response.json(); console.log(data); } catch (error) { console.error('Error fetching data:', error); } } fetchData(); </code></pre> <p>This approach has the same advantages and disadvantages as using a proxy server. The main difference is the technology used for the server-side component.</p> <h3>5. PostMessage API</h3> <p>The `postMessage` API provides a way for windows and iframes to communicate with each other, even if they are from different origins. It's a powerful tool for cross-origin communication when you have control over both the sender and receiver.</p> <p>Here's how it works:</p> <ol> <li>**The sender window calls `postMessage()`:** The sender window calls the `postMessage()` method on the receiver window (e.g., an `<iframe>` or another window opened with `window.open()`). The `postMessage()` method takes two arguments: the message to send (a string or a structured object) and the target origin (the origin of the receiver window).</li> <li>**The receiver window listens for the `message` event:** The receiver window adds an event listener for the `message` event. When the sender window calls `postMessage()`, the receiver window's `message` event listener is triggered.</li> <li>**The receiver window processes the message:** The receiver window's `message` event listener receives the message and the origin of the sender window. The receiver can then process the message and perform actions accordingly.</li> </ol> <p><b>Example (Sender - e.g., `index.html`):</b></p> <pre><code class="language-html" data-line=""> <!DOCTYPE html> <html> <head> <title>Sender</title> </head> <body> <iframe id="myIframe" src="http://example.com/receiver.html"></iframe> <script> const iframe = document.getElementById('myIframe'); function sendMessage() { const message = { type: 'greeting', text: 'Hello from the sender!' }; iframe.contentWindow.postMessage(message, 'http://example.com'); // Target origin is crucial! } setTimeout(sendMessage, 2000); // Send the message after 2 seconds </script> </body> </html> </code></pre> <p><b>Example (Receiver - e.g., `receiver.html`):</b></p> <pre><code class="language-html" data-line=""> <!DOCTYPE html> <html> <head> <title>Receiver</title> </head> <body> <script> window.addEventListener('message', (event) => { // Check the origin to ensure you're only accepting messages from trusted sources if (event.origin !== 'http://your-sender-origin.com') { // Replace with the sender's origin return; // Ignore messages from untrusted origins } console.log('Received message:', event.data); // Process the message (e.g., update the UI) if (event.data.type === 'greeting') { alert(event.data.text); } }); </script> </body> </html> </code></pre> <p><b>Pros of `postMessage`:</b></p> <ul> <li>Allows communication between windows and iframes from different origins.</li> <li>Secure (when used correctly, with origin validation).</li> <li>Flexible for various communication scenarios.</li> </ul> <p><b>Cons of `postMessage`:</b></p> <ul> <li>Requires you to control both the sender and receiver.</li> <li>Requires careful origin validation to prevent security vulnerabilities.</li> <li>Can be more complex than other methods, especially for simple data transfers.</li> </ul> <p><b>Important Considerations for `postMessage`:</b></p> <ul> <li>**Always validate the origin:** The `event.origin` property in the `message` event contains the origin of the sender window. You *must* validate this property to ensure that you are only accepting messages from trusted sources. Failing to do so can open your application to XSS attacks.</li> <li>**Use structured data:** It's best to send structured data (e.g., JSON objects) instead of just strings. This allows you to send more complex information and makes it easier to process the messages on the receiver side.</li> <li>**Consider the target origin:** When calling `postMessage()`, you specify the target origin. This ensures that the message is only sent to the intended receiver.</li> </ul> <h2>Common Mistakes and How to Fix Them</h2> <p>Here are some common mistakes developers make when dealing with the SOP and how to avoid them:</p> <ul> <li>**Not understanding the SOP:** The most fundamental mistake is not understanding the purpose and implications of the SOP. Make sure you understand how the SOP works before you start trying to bypass it.</li> <li>**Misconfiguring CORS:** Incorrectly setting up CORS headers on the server is a frequent issue. Make sure the `Access-Control-Allow-Origin` header is set correctly (either to a specific origin or to `*` with caution). Also, ensure that all necessary headers and methods are allowed.</li> <li>**Using `*` in `Access-Control-Allow-Origin` in production:** While convenient, using `*` in production opens your API to any website. Always specify the exact origins that are allowed.</li> <li>**Not validating the origin in `postMessage`:** Failing to validate the `event.origin` in the `message` event listener can lead to serious security vulnerabilities. Always verify the origin of the sender before processing the message.</li> <li>**Trying to bypass the SOP client-side without a valid reason:** The SOP is a security feature. Don't try to circumvent it unless you have a legitimate reason (e.g., you control both the client and the server, or you are using a proxy server).</li> <li>**Incorrectly using JSONP:** JSONP is limited and less secure than CORS. Only use it if you must support very old browsers or if the API you are using only supports JSONP.</li> <li>**Not handling errors:** When making cross-origin requests, always handle errors properly. Check the response status and handle any exceptions that may occur.</li> </ul> <h2>Summary: Key Takeaways</h2> <ul> <li>The Same-Origin Policy is a critical security mechanism in web browsers.</li> <li>It restricts cross-origin interactions to prevent malicious attacks.</li> <li>CORS is the preferred way to enable cross-origin requests when necessary.</li> <li>Understand the implications of using `*` in `Access-Control-Allow-Origin`.</li> <li>Use proxy servers or server-side languages to handle cross-origin requests when CORS is not an option.</li> <li>Validate the origin in `postMessage` to ensure security.</li> <li>Handle errors and exceptions when making cross-origin requests.</li> </ul> <h2>FAQ</h2> <ol> <li><b>What happens if I don't configure CORS correctly?</b> <p>If you don't configure CORS correctly, the browser will block cross-origin requests and you'll see errors in the browser's console. The most common error message is something like: "Access to XMLHttpRequest at '...' from origin '...' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource."</p> </li> <li><b>Can I disable the Same-Origin Policy in my browser?</b> <p>Yes, you can, but it is *strongly* discouraged for general browsing. Disabling the SOP makes your browser vulnerable to various security threats. You might disable it temporarily for development purposes, but always re-enable it when you're finished. The method to disable the SOP varies depending on your browser. For example, in Chrome, you can launch Chrome with the `--disable-web-security` and `--user-data-dir` flags. Use this with extreme caution!</p> </li> <li><b>What are the security risks of using `*` in `Access-Control-Allow-Origin`?</b> <p>Using `*` allows any website to make requests to your API. This means a malicious website could potentially:</p> <ul> <li>Read sensitive data from your API.</li> <li>Make unauthorized changes to data on your API.</li> <li>Exploit vulnerabilities in your API.</li> </ul> <p>It's generally safe to use `*` for testing purposes or for public APIs where security is less of a concern. But for production APIs that handle sensitive data, you should always specify the exact origins that are allowed.</p> </li> <li><b>Is JSONP more secure than CORS?</b> <p>No, JSONP is generally *less* secure than CORS. Because JSONP relies on executing JavaScript from a different origin, it can be vulnerable to XSS attacks. CORS, on the other hand, is a more secure mechanism because it relies on the server explicitly allowing cross-origin requests. CORS provides more control and flexibility, and it's less prone to security vulnerabilities when configured correctly.</p> </li> <li><b>When should I use a proxy server?</b> <p>You should use a proxy server when you need to access an API that doesn't support CORS or when you want to add security or authentication to your API requests. Proxy servers are also useful when you need to manipulate the requests or responses before sending them to the client. Keep in mind, this adds complexity to your architecture.</p> </li> </ol> <p>Understanding and correctly implementing the Same-Origin Policy is not just a technical requirement; it's a fundamental part of building secure, reliable web applications. By mastering the concepts and techniques discussed in this tutorial, you'll be well-equipped to navigate the complexities of cross-origin communication and create robust, secure web experiences for your users. As you continue your journey in web development, remember that security is an ongoing process, and staying informed about best practices and emerging threats is crucial. The web is constantly evolving, and so should your understanding of the principles that keep it safe.</p> <div class="wpzoom-social-sharing-buttons-bottom"><div class="wp-block-wpzoom-blocks-social-sharing align-none"><ul class="social-sharing-icons"><li class="social-sharing-icon-li"><a class="social-sharing-icon social-sharing-icon-facebook" style="padding:5px 15px;margin:5px 5px;border-radius:50px;font-size:20px;color:#ffffff;background-color:#0866FF;" href="https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Flearnmodernjavascript.com%2Fdemystifying-javascripts-same-origin-policy-a-beginners-guide%2F&t=Demystifying+JavaScript%26%238217%3Bs+Same-Origin+Policy%3A+A+Beginner%26%238217%3Bs+Guide" title="Facebook" target="_blank" rel="noopener noreferrer" data-platform="facebook"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="20" height="20" style="fill:#ffffff;" aria-hidden="true" focusable="false"><path d="M24 12.073c0-6.627-5.373-12-12-12s-12 5.373-12 12c0 5.99 4.388 10.954 10.125 11.854v-8.385H7.078v-3.47h3.047V9.43c0-3.007 1.792-4.669 4.533-4.669 1.312 0 2.686.235 2.686.235v2.953H15.83c-1.491 0-1.956.925-1.956 1.874v2.25h3.328l-.532 3.47h-2.796v8.385C19.612 23.027 24 18.062 24 12.073z" /></svg><span class="social-sharing-icon-label" style="font-size:16px;color:inherit;">Facebook</span></a></li><li class="social-sharing-icon-li"><a class="social-sharing-icon social-sharing-icon-x" style="padding:5px 15px;margin:5px 5px;border-radius:50px;font-size:20px;color:#ffffff;background-color:#000000;" href="https://x.com/intent/tweet?url=https%3A%2F%2Flearnmodernjavascript.com%2Fdemystifying-javascripts-same-origin-policy-a-beginners-guide%2F&text=Demystifying+JavaScript%26%238217%3Bs+Same-Origin+Policy%3A+A+Beginner%26%238217%3Bs+Guide" title="Share on X" target="_blank" rel="noopener noreferrer" data-platform="x"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="20" height="20" style="fill:#ffffff;" aria-hidden="true" focusable="false"><path d="M18.901 1.153h3.68l-8.04 9.19L24 22.846h-7.406l-5.8-7.584-6.638 7.584H.474l8.6-9.83L0 1.154h7.594l5.243 6.932ZM17.61 20.644h2.039L6.486 3.24H4.298Z" /></svg><span class="social-sharing-icon-label" style="font-size:16px;color:inherit;">Share on X</span></a></li><li class="social-sharing-icon-li"><a class="social-sharing-icon social-sharing-icon-linkedin" style="padding:5px 15px;margin:5px 5px;border-radius:50px;font-size:20px;color:#ffffff;background-color:#0966c2;" href="https://www.linkedin.com/sharing/share-offsite/?url=https%3A%2F%2Flearnmodernjavascript.com%2Fdemystifying-javascripts-same-origin-policy-a-beginners-guide%2F" title="LinkedIn" target="_blank" rel="noopener noreferrer" data-platform="linkedin"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="20" height="20" style="fill:#ffffff;" aria-hidden="true" focusable="false"><path d="M20.447 20.452h-3.554v-5.569c0-1.328-.027-3.037-1.852-3.037-1.853 0-2.136 1.445-2.136 2.939v5.667H9.351V9h3.414v1.561h.046c.477-.9 1.637-1.85 3.37-1.85 3.601 0 4.267 2.37 4.267 5.455v6.286zM5.337 7.433c-1.144 0-2.063-.926-2.063-2.065 0-1.138.92-2.063 2.063-2.063 1.14 0 2.064.925 2.064 2.063 0 1.139-.925 2.065-2.064 2.065zm1.782 13.019H3.555V9h3.564v11.452zM22.225 0H1.771C.792 0 0 .774 0 1.729v20.542C0 23.227.792 24 1.771 24h20.451C23.2 24 24 23.227 24 22.271V1.729C24 .774 23.2 0 22.222 0h.003z" /></svg><span class="social-sharing-icon-label" style="font-size:16px;color:inherit;">LinkedIn</span></a></li><li class="social-sharing-icon-li"><a class="social-sharing-icon social-sharing-icon-whatsapp" style="padding:5px 15px;margin:5px 5px;border-radius:50px;font-size:20px;color:#ffffff;background-color:#25D366;" href="https://api.whatsapp.com/send?text=Demystifying+JavaScript%26%238217%3Bs+Same-Origin+Policy%3A+A+Beginner%26%238217%3Bs+Guide+https%3A%2F%2Flearnmodernjavascript.com%2Fdemystifying-javascripts-same-origin-policy-a-beginners-guide%2F" title="WhatsApp" target="_blank" rel="noopener noreferrer" data-platform="whatsapp"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="20" height="20" style="fill:#ffffff;" aria-hidden="true" focusable="false"><path d="M17.472 14.382c-.297-.149-1.758-.867-2.03-.967-.273-.099-.471-.148-.67.15-.197.297-.767.966-.94 1.164-.173.199-.347.223-.644.075-.297-.15-1.255-.463-2.39-1.475-.883-.788-1.48-1.761-1.653-2.059-.173-.297-.018-.458.13-.606.134-.133.298-.347.446-.52.149-.174.198-.298.298-.497.099-.198.05-.371-.025-.52-.075-.149-.669-1.612-.916-2.207-.242-.579-.487-.5-.669-.51-.173-.008-.371-.01-.57-.01-.198 0-.52.074-.792.372-.272.297-1.04 1.016-1.04 2.479 0 1.462 1.065 2.875 1.213 3.074.149.198 2.096 3.2 5.077 4.487.709.306 1.262.489 1.694.625.712.227 1.36.195 1.871.118.571-.085 1.758-.719 2.006-1.413.248-.694.248-1.289.173-1.413-.074-.124-.272-.198-.57-.347m-5.421 7.403h-.004a9.87 9.87 0 01-5.031-1.378l-.361-.214-3.741.982.998-3.648-.235-.374a9.86 9.86 0 01-1.51-5.26c.001-5.45 4.436-9.884 9.888-9.884 2.64 0 5.122 1.03 6.988 2.898a9.825 9.825 0 012.893 6.994c-.003 5.45-4.437 9.884-9.885 9.884m8.413-18.297A11.815 11.815 0 0012.05 0C5.495 0 .16 5.335.157 11.892c0 2.096.547 4.142 1.588 5.945L.057 24l6.305-1.654a11.882 11.882 0 005.683 1.448h.005c6.554 0 11.89-5.335 11.893-11.893a11.821 11.821 0 00-3.48-8.413z" /></svg><span class="social-sharing-icon-label" style="font-size:16px;color:inherit;">WhatsApp</span></a></li><li class="social-sharing-icon-li"><a class="social-sharing-icon social-sharing-icon-email" style="padding:5px 15px;margin:5px 5px;border-radius:50px;font-size:20px;color:#ffffff;background-color:#333333;" href="mailto:?subject=Demystifying+JavaScript%26%238217%3Bs+Same-Origin+Policy%3A+A+Beginner%26%238217%3Bs+Guide&body=https%3A%2F%2Flearnmodernjavascript.com%2Fdemystifying-javascripts-same-origin-policy-a-beginners-guide%2F" title="Email" target="_blank" rel="noopener noreferrer" data-platform="email"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="20" height="20" style="fill:#ffffff;" aria-hidden="true" focusable="false"><path d="M20 4H4c-1.1 0-1.99.9-1.99 2L2 18c0 1.1.9 2 2 2h16c1.1 0 2-.9 2-2V6c0-1.1-.9-2-2-2zm-.4 4.25l-7.07 4.42c-.32.2-.74.2-1.06 0L4.4 8.25c-.25-.16-.4-.43-.4-.72 0-.67.73-1.07 1.3-.72L12 11l6.7-4.19c.57-.35 1.3.05 1.3.72 0 .29-.15.56-.4.72z" /></svg><span class="social-sharing-icon-label" style="font-size:16px;color:inherit;">Email</span></a></li><li class="social-sharing-icon-li"><a class="social-sharing-icon social-sharing-icon-copy-link" style="padding:5px 15px;margin:5px 5px;border-radius:50px;font-size:20px;color:#ffffff;background-color:#333333;" href="#copy-link" title="Copy Link" data-platform="copy-link"><svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="20" height="20" style="fill:#ffffff;" aria-hidden="true" focusable="false"><path d="M3.9 12c0-1.71 1.39-3.1 3.1-3.1h4V7H7c-2.76 0-5 2.24-5 5s2.24 5 5 5h4v-1.9H7c-1.71 0-3.1-1.39-3.1-3.1zM8 13h8v-2H8v2zm9-6h-4v1.9h4c1.71 0 3.1 1.39 3.1 3.1s-1.39 3.1-3.1 3.1h-4V17h4c2.76 0 5-2.24 5-5s-2.24-5-5-5z" /></svg><span class="social-sharing-icon-label" style="font-size:16px;color:inherit;">Copy Link</span></a></li></ul><script> document.addEventListener("DOMContentLoaded", function() { var copyLinks = document.querySelectorAll("a[data-platform='copy-link']"); copyLinks.forEach(function(link) { if (link.hasAttribute("data-listener-added")) return; link.setAttribute("data-listener-added", "true"); link.addEventListener("click", function(e) { e.preventDefault(); var tempInput = document.createElement("input"); tempInput.value = window.location.href; document.body.appendChild(tempInput); tempInput.select(); document.execCommand("copy"); document.body.removeChild(tempInput); var originalText = this.querySelector(".social-sharing-icon-label")?.textContent || ""; var originalTitle = this.getAttribute("title"); var originalIcon = this.querySelector("svg").outerHTML; // Show success feedback this.setAttribute("title", "Copied!"); this.classList.add("copied"); if (this.querySelector(".social-sharing-icon-label")) { this.querySelector(".social-sharing-icon-label").textContent = "Copied!"; } else { this.querySelector("svg").outerHTML = '<svg xmlns="http://www.w3.org/2000/svg" viewBox="0 0 24 24" width="20" height="20" style="fill:#ffffff;" aria-hidden="true" focusable="false"><path d="M9 16.17L4.83 12l-1.42 1.41L9 19 21 7l-1.41-1.41L9 16.17z" /></svg>'; } var self = this; setTimeout(function() { self.setAttribute("title", originalTitle); self.classList.remove("copied"); if (self.querySelector(".social-sharing-icon-label")) { self.querySelector(".social-sharing-icon-label").textContent = originalText; } else { self.querySelector("svg").outerHTML = originalIcon; } }, 2000); }); }); }); </script></div></div></div> <div class="wp-block-group has-global-padding is-layout-constrained wp-block-group-is-layout-constrained" style="padding-top:var(--wp--preset--spacing--60);padding-bottom:var(--wp--preset--spacing--60)"><div class="taxonomy-post_tag is-style-post-terms-1 is-style-post-terms-1--2 wp-block-post-terms"><a href="https://learnmodernjavascript.com/tag/beginners/" rel="tag">Beginners</a><span class="wp-block-post-terms__separator"> </span><a href="https://learnmodernjavascript.com/tag/cors/" rel="tag">CORS</a><span class="wp-block-post-terms__separator"> </span><a href="https://learnmodernjavascript.com/tag/intermediate/" rel="tag">intermediate</a><span class="wp-block-post-terms__separator"> </span><a href="https://learnmodernjavascript.com/tag/javascript/" rel="tag">JavaScript</a><span class="wp-block-post-terms__separator"> </span><a href="https://learnmodernjavascript.com/tag/jsonp/" rel="tag">JSONP</a><span class="wp-block-post-terms__separator"> </span><a href="https://learnmodernjavascript.com/tag/same-origin-policy/" rel="tag">Same-Origin Policy</a><span class="wp-block-post-terms__separator"> </span><a href="https://learnmodernjavascript.com/tag/tutorial/" rel="tag">Tutorial</a><span class="wp-block-post-terms__separator"> </span><a href="https://learnmodernjavascript.com/tag/web-development/" rel="tag">Web Development</a><span class="wp-block-post-terms__separator"> </span><a href="https://learnmodernjavascript.com/tag/web-security/" rel="tag">Web Security</a></div></div> <div class="wp-block-group alignwide is-layout-flow wp-block-group-is-layout-flow" style="margin-top:var(--wp--preset--spacing--60);margin-bottom:var(--wp--preset--spacing--60)"> <nav class="wp-block-group alignwide is-content-justification-space-between is-nowrap is-layout-flex wp-container-core-group-is-layout-878fe601 wp-block-group-is-layout-flex" aria-label="Post navigation" style="border-top-color:var(--wp--preset--color--accent-6);border-top-width:1px;padding-top:var(--wp--preset--spacing--40);padding-bottom:var(--wp--preset--spacing--40)"><div class="post-navigation-link-previous wp-block-post-navigation-link"><span class="wp-block-post-navigation-link__arrow-previous is-arrow-arrow" aria-hidden="true">←</span><a href="https://learnmodernjavascript.com/why-eval-is-dangerous-and-modern-alternatives-for-wordpress-developers/" rel="prev">Why `eval()` is Dangerous (And Modern Alternatives) for WordPress Developers</a></div> <div class="post-navigation-link-next wp-block-post-navigation-link"><a href="https://learnmodernjavascript.com/securely-storing-tokens-in-javascript-a-comprehensive-guide/" rel="next">Securely Storing Tokens in JavaScript: A Comprehensive Guide</a><span class="wp-block-post-navigation-link__arrow-next is-arrow-arrow" aria-hidden="true">→</span></div></nav> </div> </div> <div class="wp-block-group alignwide has-global-padding is-layout-constrained wp-block-group-is-layout-constrained" style="padding-top:var(--wp--preset--spacing--60);padding-bottom:var(--wp--preset--spacing--60)"> <h2 class="wp-block-heading alignwide has-small-font-size" style="font-style:normal;font-weight:700;letter-spacing:1.4px;text-transform:uppercase">More posts</h2> <div class="wp-block-query alignwide is-layout-flow wp-block-query-is-layout-flow"><ul class="alignfull wp-block-post-template is-layout-flow wp-container-core-post-template-is-layout-b4d04ffe wp-block-post-template-is-layout-flow"><li class="wp-block-post post-4507 post type-post status-publish format-standard hentry category-javascript tag-beginner tag-canvas tag-css tag-dom-manipulation tag-drawing-app tag-event-handling tag-html tag-interactive tag-tutorial tag-typescript tag-web-development"> <div class="wp-block-group alignfull is-content-justification-space-between is-nowrap is-layout-flex wp-container-core-group-is-layout-cba70755 wp-block-group-is-layout-flex" style="border-bottom-color:var(--wp--preset--color--accent-6);border-bottom-width:1px;padding-top:var(--wp--preset--spacing--30);padding-bottom:var(--wp--preset--spacing--30)"><h3 class="wp-block-post-title has-large-font-size"><a href="https://learnmodernjavascript.com/typescript-tutorial-building-a-simple-interactive-drawing-application/" target="_self" >TypeScript Tutorial: Building a Simple Interactive Drawing Application</a></h3> <div class="has-text-align-right wp-block-post-date"><a href="https://learnmodernjavascript.com/typescript-tutorial-building-a-simple-interactive-drawing-application/"><time datetime="2026-03-20T21:51:29+00:00">March 20, 2026</time></a></div></div> </li><li class="wp-block-post post-4451 post type-post status-publish format-standard hentry category-javascript tag-beginners tag-css tag-form-validation tag-html tag-intermediate tag-javascript tag-tutorial tag-typescript tag-web-development"> <div class="wp-block-group alignfull is-content-justification-space-between is-nowrap is-layout-flex wp-container-core-group-is-layout-cba70755 wp-block-group-is-layout-flex" style="border-bottom-color:var(--wp--preset--color--accent-6);border-bottom-width:1px;padding-top:var(--wp--preset--spacing--30);padding-bottom:var(--wp--preset--spacing--30)"><h3 class="wp-block-post-title has-large-font-size"><a href="https://learnmodernjavascript.com/typescript-tutorial-building-a-simple-interactive-form-with-validation/" target="_self" >TypeScript Tutorial: Building a Simple Interactive Form with Validation</a></h3> <div class="has-text-align-right wp-block-post-date"><a href="https://learnmodernjavascript.com/typescript-tutorial-building-a-simple-interactive-form-with-validation/"><time datetime="2026-03-20T18:01:15+00:00">March 20, 2026</time></a></div></div> </li><li class="wp-block-post post-4445 post type-post status-publish format-standard hentry category-javascript tag-beginner tag-css tag-game-development tag-html tag-javascript tag-tic-tac-toe tag-tutorial tag-typescript tag-web-development"> <div class="wp-block-group alignfull is-content-justification-space-between is-nowrap is-layout-flex wp-container-core-group-is-layout-cba70755 wp-block-group-is-layout-flex" style="border-bottom-color:var(--wp--preset--color--accent-6);border-bottom-width:1px;padding-top:var(--wp--preset--spacing--30);padding-bottom:var(--wp--preset--spacing--30)"><h3 class="wp-block-post-title has-large-font-size"><a href="https://learnmodernjavascript.com/typescript-tutorial-building-a-simple-game-of-tic-tac-toe/" target="_self" >TypeScript Tutorial: Building a Simple Game of Tic-Tac-Toe</a></h3> <div class="has-text-align-right wp-block-post-date"><a href="https://learnmodernjavascript.com/typescript-tutorial-building-a-simple-game-of-tic-tac-toe/"><time datetime="2026-03-20T17:37:44+00:00">March 20, 2026</time></a></div></div> </li><li class="wp-block-post post-4443 post type-post status-publish format-standard hentry category-javascript tag-api tag-beginner tag-cli tag-currency-converter tag-node-js tag-tutorial tag-typescript tag-web-development"> <div class="wp-block-group alignfull is-content-justification-space-between is-nowrap is-layout-flex wp-container-core-group-is-layout-cba70755 wp-block-group-is-layout-flex" style="border-bottom-color:var(--wp--preset--color--accent-6);border-bottom-width:1px;padding-top:var(--wp--preset--spacing--30);padding-bottom:var(--wp--preset--spacing--30)"><h3 class="wp-block-post-title has-large-font-size"><a href="https://learnmodernjavascript.com/typescript-tutorial-building-a-simple-currency-converter/" target="_self" >TypeScript Tutorial: Building a Simple Currency Converter</a></h3> <div class="has-text-align-right wp-block-post-date"><a href="https://learnmodernjavascript.com/typescript-tutorial-building-a-simple-currency-converter/"><time datetime="2026-03-20T17:30:49+00:00">March 20, 2026</time></a></div></div> </li></ul></div> </div> </main> <footer class="wp-block-template-part"> <div class="wp-block-group has-global-padding is-layout-constrained wp-block-group-is-layout-constrained" style="padding-top:var(--wp--preset--spacing--60);padding-bottom:var(--wp--preset--spacing--50)"> <div class="wp-block-group alignwide is-layout-flow wp-block-group-is-layout-flow"><div class="is-default-size wp-block-site-logo"><a href="https://learnmodernjavascript.com/" class="custom-logo-link" rel="home"><img width="401" height="267" src="https://learnmodernjavascript.com/wp-content/uploads/2026/02/ChatGPT_Image_Feb_3__2026__04_44_02_PM-removebg-preview-edited-1.png" class="custom-logo" alt="LearnModernJavaScript" decoding="async" fetchpriority="high" srcset="https://learnmodernjavascript.com/wp-content/uploads/2026/02/ChatGPT_Image_Feb_3__2026__04_44_02_PM-removebg-preview-edited-1.png 401w, https://learnmodernjavascript.com/wp-content/uploads/2026/02/ChatGPT_Image_Feb_3__2026__04_44_02_PM-removebg-preview-edited-1-300x200.png 300w" sizes="(max-width: 401px) 100vw, 401px" /></a></div> <div class="wp-block-group alignfull is-content-justification-space-between is-layout-flex wp-container-core-group-is-layout-cf54d0a6 wp-block-group-is-layout-flex"> <div class="wp-block-columns is-layout-flex wp-container-core-columns-is-layout-794e3cfa wp-block-columns-is-layout-flex"> <div class="wp-block-column is-layout-flow wp-block-column-is-layout-flow" style="flex-basis:100%"><p class="wp-block-site-tagline">Learn JavaScript the Modern Way</p></div> <div class="wp-block-column is-layout-flow wp-block-column-is-layout-flow"> <div style="height:var(--wp--preset--spacing--40);width:0px" aria-hidden="true" class="wp-block-spacer"></div> </div> </div> </div> <div class="wp-block-group alignfull is-content-justification-space-between is-layout-flex wp-container-core-group-is-layout-2ab8c7fb wp-block-group-is-layout-flex"> <p class="has-small-font-size wp-block-paragraph">© 2026 • LearnModernJavascript</p> <p class="has-small-font-size wp-block-paragraph">Inquiries: <strong><a href="mailto:admin@codingeasypeasy.com">admin@learnmodernjavascript.com</a></strong></p> </div> </div> </div> </footer></div> <script type="speculationrules"> {"prefetch":[{"source":"document","where":{"and":[{"href_matches":"/*"},{"not":{"href_matches":["/wp-*.php","/wp-admin/*","/wp-content/uploads/*","/wp-content/*","/wp-content/plugins/*","/wp-content/themes/twentytwentyfive/*","/*\\?(.+)"]}},{"not":{"selector_matches":"a[rel~=\"nofollow\"]"}},{"not":{"selector_matches":".no-prefetch, .no-prefetch a"}}]},"eagerness":"conservative"}]} </script> <div class="wp-dark-mode-floating-switch wp-dark-mode-ignore wp-dark-mode-animation wp-dark-mode-animation-bounce " style="right: 10px; bottom: 10px;">  <div class="wp-dark-mode-switch wp-dark-mode-ignore " tabindex="0" role="switch" aria-label="Dark Mode Toggle" aria-checked="false" data-style="1" data-size="1" data-text-light="" data-text-dark="" data-icon-light="" data-icon-dark=""></div></div><script data-wp-router-options="{"loadOnClientNavigation":true}" fetchpriority="low" id="@wordpress/block-library/navigation/view-js-module" src="https://learnmodernjavascript.com/wp-includes/js/dist/script-modules/block-library/navigation/view.min.js?ver=96a846e1d7b789c39ab9" type="module"></script>  <script> (()=>{var e=window.koko_analytics,c=["utm_source","utm_medium","utm_campaign"];function d(){let t={},a=new URLSearchParams(window.location.search),s=new URLSearchParams(window.location.hash.substring(1));return c.forEach(i=>{let n=a.get(i)||s.get(i);n&&(t[i]=n)}),t}e.trackPageview=function(t,a){if(/bot|crawl|spider|seo|lighthouse|facebookexternalhit|preview|prerender/i.test(navigator.userAgent)||window._phantom||window.__nightmare||window.navigator.webdriver||window.Cypress){console.debug("Koko Analytics: Ignoring call to trackPageview because user agent is a bot or this is a headless browser.");return}navigator.sendBeacon(e.url,new URLSearchParams({action:"koko_analytics_collect",pa:t,po:a,r:document.referrer.indexOf(e.site_url)==0?"":document.referrer,m:e.use_cookie?"c":e.method[0],...d()}))};function o(){e.trackPageview(e.path,e.post_id)}function r(){e.autotracked||(o(),e.autotracked=!0)}document.visibilityState==="hidden"||document.visibilityState==="prerender"?document.addEventListener("visibilitychange",()=>{document.visibilityState==="visible"&&r()}):r();window.addEventListener("pageshow",t=>{t.persisted&&o()});})(); </script> <script>document.addEventListener("DOMContentLoaded", function() { // ---------- CONFIG ---------- const MONETAG_URL = "https://omg10.com/4/10704559"; const STORAGE_KEY = "monetagLastShown"; const COOLDOWN = 24*60*60*1000; // 24 hours // ---------- CREATE MODAL HTML ---------- const modalHTML = ` <div id="monetagModal" style=" position:fixed; top:0; left:0; width:100%; height:100%; background:rgba(0,0,0,0.7); display:flex; align-items:center; justify-content:center; z-index:9999; visibility:hidden; opacity:0; transition: opacity 0.3s ease; "> <div style=" background:#fff; padding:25px; border-radius:10px; max-width:400px; text-align:center; box-shadow:0 4px 15px rgba(0,0,0,0.3); "> <h2>Welcome! 👋</h2> <p>Thanks for visiting! Before you continue, click the button below to unlock exclusive content and surprises just for you.</p> <button class="monetagBtn" style=" padding:10px 20px; background:#dc3545; color:#fff; border:none; border-radius:5px; cursor:pointer; margin-top:15px; ">Not Now</button> <button class="monetagBtn" style=" padding:10px 20px; background:#ff5722; color:#fff; border:none; border-radius:5px; cursor:pointer; margin-top:15px; ">Continue</button> </div> </div> `; document.body.insertAdjacentHTML("beforeend", modalHTML); // ---------- GET ELEMENTS ---------- const modal = document.getElementById("monetagModal"); const buttons = document.querySelectorAll(".monetagBtn"); // ---------- SHOW MODAL ON PAGE LOAD ---------- window.addEventListener("load", function(){ modal.style.visibility = "visible"; modal.style.opacity = "1"; }); // ---------- CHECK 24H COOLDOWN ---------- function canShow() { const last = localStorage.getItem(STORAGE_KEY); return !last || (Date.now() - parseInt(last)) > COOLDOWN; } // ---------- TRIGGER MONETAG ---------- buttons.forEach(btn => { btn.addEventListener("click", function(){ if(canShow()){ localStorage.setItem(STORAGE_KEY, Date.now()); window.open(MONETAG_URL,"_blank"); } // hide modal after click modal.style.opacity = "0"; setTimeout(()=>{ modal.style.visibility="hidden"; },300); }); }); });</script><script id="prismatic-prism-js" src="https://learnmodernjavascript.com/wp-content/plugins/prismatic/lib/prism/js/prism-core.js?ver=3.7.5"></script> <script id="prismatic-prism-toolbar-js" src="https://learnmodernjavascript.com/wp-content/plugins/prismatic/lib/prism/js/plugin-toolbar.js?ver=3.7.5"></script> <script id="prismatic-prism-line-highlight-js" src="https://learnmodernjavascript.com/wp-content/plugins/prismatic/lib/prism/js/plugin-line-highlight.js?ver=3.7.5"></script> <script id="prismatic-prism-line-numbers-js" src="https://learnmodernjavascript.com/wp-content/plugins/prismatic/lib/prism/js/plugin-line-numbers.js?ver=3.7.5"></script> <script id="prismatic-copy-clipboard-js" src="https://learnmodernjavascript.com/wp-content/plugins/prismatic/lib/prism/js/plugin-copy-clipboard.js?ver=3.7.5"></script> <script id="prismatic-command-line-js" src="https://learnmodernjavascript.com/wp-content/plugins/prismatic/lib/prism/js/plugin-command-line.js?ver=3.7.5"></script> <script id="prismatic-prism-javascript-js" src="https://learnmodernjavascript.com/wp-content/plugins/prismatic/lib/prism/js/lang-javascript.js?ver=3.7.5"></script> <script id="prismatic-prism-php-js" src="https://learnmodernjavascript.com/wp-content/plugins/prismatic/lib/prism/js/lang-php.js?ver=3.7.5"></script> <script id="zoom-social-icons-widget-frontend-js" src="https://learnmodernjavascript.com/wp-content/plugins/social-icons-widget-by-wpzoom/assets/js/social-icons-widget-frontend.js?ver=1500579482"></script> <script id="wp-emoji-settings" type="application/json"> {"baseUrl":"https://s.w.org/images/core/emoji/17.0.2/72x72/","ext":".png","svgUrl":"https://s.w.org/images/core/emoji/17.0.2/svg/","svgExt":".svg","source":{"concatemoji":"https://learnmodernjavascript.com/wp-includes/js/wp-emoji-release.min.js?ver=7.0"}} </script> <script type="module"> /*! This file is auto-generated */ const a=JSON.parse(document.getElementById("wp-emoji-settings").textContent),o=(window._wpemojiSettings=a,"wpEmojiSettingsSupports"),s=["flag","emoji"];function i(e){try{var t={supportTests:e,timestamp:(new Date).valueOf()};sessionStorage.setItem(o,JSON.stringify(t))}catch(e){}}function c(e,t,n){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);t=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data);e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(n,0,0);const a=new Uint32Array(e.getImageData(0,0,e.canvas.width,e.canvas.height).data);return t.every((e,t)=>e===a[t])}function p(e,t){e.clearRect(0,0,e.canvas.width,e.canvas.height),e.fillText(t,0,0);var n=e.getImageData(16,16,1,1);for(let e=0;e<n.data.length;e++)if(0!==n.data[e])return!1;return!0}function u(e,t,n,a){switch(t){case"flag":return n(e,"\ud83c\udff3\ufe0f\u200d\u26a7\ufe0f","\ud83c\udff3\ufe0f\u200b\u26a7\ufe0f")?!1:!n(e,"\ud83c\udde8\ud83c\uddf6","\ud83c\udde8\u200b\ud83c\uddf6")&&!n(e,"\ud83c\udff4\udb40\udc67\udb40\udc62\udb40\udc65\udb40\udc6e\udb40\udc67\udb40\udc7f","\ud83c\udff4\u200b\udb40\udc67\u200b\udb40\udc62\u200b\udb40\udc65\u200b\udb40\udc6e\u200b\udb40\udc67\u200b\udb40\udc7f");case"emoji":return!a(e,"\ud83e\u1fac8")}return!1}function f(e,t,n,a){let r;const o=(r="undefined"!=typeof WorkerGlobalScope&&self instanceof WorkerGlobalScope?new OffscreenCanvas(300,150):document.createElement("canvas")).getContext("2d",{willReadFrequently:!0}),s=(o.textBaseline="top",o.font="600 32px Arial",{});return e.forEach(e=>{s[e]=t(o,e,n,a)}),s}function r(e){var t=document.createElement("script");t.src=e,t.defer=!0,document.head.appendChild(t)}a.supports={everything:!0,everythingExceptFlag:!0},new Promise(t=>{let n=function(){try{var e=JSON.parse(sessionStorage.getItem(o));if("object"==typeof e&&"number"==typeof e.timestamp&&(new Date).valueOf()<e.timestamp+604800&&"object"==typeof e.supportTests)return e.supportTests}catch(e){}return null}();if(!n){if("undefined"!=typeof Worker&&"undefined"!=typeof OffscreenCanvas&&"undefined"!=typeof URL&&URL.createObjectURL&&"undefined"!=typeof Blob)try{var e="postMessage("+f.toString()+"("+[JSON.stringify(s),u.toString(),c.toString(),p.toString()].join(",")+"));",a=new Blob([e],{type:"text/javascript"});const r=new Worker(URL.createObjectURL(a),{name:"wpTestEmojiSupports"});return void(r.onmessage=e=>{i(n=e.data),r.terminate(),t(n)})}catch(e){}i(n=f(s,u,c,p))}t(n)}).then(e=>{for(const n in e)a.supports[n]=e[n],a.supports.everything=a.supports.everything&&a.supports[n],"flag"!==n&&(a.supports.everythingExceptFlag=a.supports.everythingExceptFlag&&a.supports[n]);var t;a.supports.everythingExceptFlag=a.supports.everythingExceptFlag&&!a.supports.flag,a.supports.everything||((t=a.source||{}).concatemoji?r(t.concatemoji):t.wpemoji&&t.twemoji&&(r(t.twemoji),r(t.wpemoji)))}); //# sourceURL=https://learnmodernjavascript.com/wp-includes/js/wp-emoji-loader.min.js </script> <script> (function() { function applyScrollbarStyles() { if (!document.documentElement.hasAttribute('data-wp-dark-mode-active')) { document.documentElement.style.removeProperty('scrollbar-color'); return; } document.documentElement.style.setProperty('scrollbar-color', '#2E334D #1D2033', 'important'); // Find and remove dark mode engine scrollbar styles. var styles = document.querySelectorAll('style'); styles.forEach(function(style) { if (style.id === 'wp-dark-mode-scrollbar-custom') return; if (style.textContent && style.textContent.indexOf('::-webkit-scrollbar') !== -1 && style.textContent.indexOf('#1D2033') === -1) { style.textContent = style.textContent.replace(/::-webkit-scrollbar[^}]*\{[^}]*\}/g, ''); style.textContent = style.textContent.replace(/::-webkit-scrollbar-track[^}]*\{[^}]*\}/g, ''); style.textContent = style.textContent.replace(/::-webkit-scrollbar-thumb[^{]*\{[^}]*\}/g, ''); style.textContent = style.textContent.replace(/::-webkit-scrollbar-corner[^}]*\{[^}]*\}/g, ''); } }); // Inject our styles. var existing = document.getElementById('wp-dark-mode-scrollbar-custom'); if (!existing) { var customStyle = document.createElement('style'); customStyle.id = 'wp-dark-mode-scrollbar-custom'; customStyle.textContent = '::-webkit-scrollbar { width: 12px !important; height: 12px !important; background: #1D2033 !important; }' + '::-webkit-scrollbar-track { background: #1D2033 !important; }' + '::-webkit-scrollbar-thumb { background: #2E334D !important; border-radius: 6px; }' + '::-webkit-scrollbar-thumb:hover { filter: brightness(1.2); }' + '::-webkit-scrollbar-corner { background: #1D2033 !important; }'; document.body.appendChild(customStyle); } } // Listen for dark mode changes. document.addEventListener('wp_dark_mode', function(e) { setTimeout(applyScrollbarStyles, 100); setTimeout(applyScrollbarStyles, 500); setTimeout(applyScrollbarStyles, 1000); }); // Observe attribute changes. var observer = new MutationObserver(function(mutations) { mutations.forEach(function(mutation) { if (mutation.attributeName === 'data-wp-dark-mode-active') { var existing = document.getElementById('wp-dark-mode-scrollbar-custom'); if (existing && !document.documentElement.hasAttribute('data-wp-dark-mode-active')) { existing.remove(); } setTimeout(applyScrollbarStyles, 100); setTimeout(applyScrollbarStyles, 500); } }); }); observer.observe(document.documentElement, { attributes: true }); // Initial apply. setTimeout(applyScrollbarStyles, 100); setTimeout(applyScrollbarStyles, 500); setTimeout(applyScrollbarStyles, 1000); })(); </script> </body> </html>

Demystifying JavaScript’s Same-Origin Policy: A Beginner’s Guide

What is the Same-Origin Policy?

Why is the Same-Origin Policy Important?

How Does the Same-Origin Policy Work?

Common Scenarios Where You’ll Encounter the SOP