Why Is The Html Script Tag Not Subject To The Same Origin Policy

I am asking this questions because we will develop an application that is supposed to share cross origin data via javascript. One possible solution seems JSONP as it uses SCRIPT ta

Solution 1:

I suppose this draft titled "Principles of the Same-Origin Policy" explains (albeit briefly) what's pretty much in everyone's head:

In principle, user agents could treat every URL as a separate principal and isolate each document from every other URL unless the document explicitly indicated that it trusted that URL. Unfortunately, this design is cumbersome for developers because web applications often consist of a number of resource acting in concert.

As an approximation, user agents group URLs together into protection domains called origins. In particular, two URLs are part of the same origin (i.e., represent the same principal) if they have the same scheme, host, and port.

In short: it would be much harder to build the Web if everything was subject to SOP.

Solution 2:

The reason is because of legacy. It was built that way many years ago and if it changes now, too many sites will fail. Plus the security implications are well known, since it has been around for so long.