Is it possible to circumvent the same origin policy if you don't have control of the second origin?

Question

This SO post lists numerous ways to circumvent this poilicy.

However, I can't tell if any of these are applicable to when you don't have access to the second origin.

Particularly this one, 3rd answer down, you insert a script that calls a script form the second origin.

<script src="http://..../someData.js?callback=some_func"/>

But in general do any of these methods allow circumvention when you are on origin one...and need access to origin two?

Answer 1

Obviously this can't be possible, otherwise the policy would be useless. It's all about preventing you from pulling data from a third host, which is exactly what you are trying to do.

Note that browsers have no notion of what is part of the "private" local network and what is part of the "public" global internet. So this policy exists to prevent arbitrary Javascript code from accessing resources on your local network.

Answer 2

Yes, you can circumvent the Same Origin Policy without controlling the second server, but you can't do it without the cooperation of the owner of the second server. Often, as in your example, this is done by cooperating with the JSONP conventions. There is no other way of doing this without proxying the requests to the second server through the first.

Answer 3

NO, that's the entire point. The SOP can be turned off only if the server specifically allows it thru either CORS or something like JSONP.

Inserting scriptlets is an attack (regardless of if your intentions are good). If I owned a domain and someone did that, they would be banned and reported to the authorities.

The closest you can come is to use server side proxy (i.e. have your js make requests your server, which in turn makes requests to the third party).