It’s common practice to include scripts from other origins with script tags but when you use fetch calls on other origins then everything must be configured carefully other wise you will get a CORS error.
Does the script tag somehow bypass CORS? How does that work?
Advertisement
Answer
The Same Origin Policy prevents JavaScript reading data from other origins without permission (which is usually provided by CORS).
Running JavaScript from other origins is not prevented by the Same Origin Policy (nor is loading stylesheets, displaying images, content in iframes, etc).
JavaScript in the page can’t (usually) read sensitive data from other origins through those methods in the first place.