Same Origin Policy and external scripts

Question

I've been tasked with integrating ad code from AdBrite.

This is the snippet I've been given, sanitized to remove our identifiers:

<script type="text/javascript">
var AdBrite_Title_Color = '3D81EE';
var AdBrite_Text_Color = '000000';
var AdBrite_Background_Color = 'FFFFFF';
var AdBrite_Border_Color = 'CCCCCC';
var AdBrite_URL_Color = '008000';
try{var AdBrite_Iframe=window.top!=window.self?2:1;var AdBrite_Referrer=document.referrer==''?document.location:document.referrer;AdBrite_Referrer=encodeURIComponent(AdBrite_Referrer);}catch(e){var AdBrite_Iframe='';var AdBrite_Referrer='';}
</script>
<script type="text/javascript">document.write(String.fromCharCode(60,83,67,82,73,80,84));document.write(' src="http://ads.adbrite.com/mb/text_group.php?sid=sanitized&zs=sanitized&ifr='+AdBrite_Iframe+'&ref='+AdBrite_Referrer+'" type="text/javascript">');document.write(String.fromCharCode(60,47,83,67,82,73,80,84,62));</script>
<div><a target="_top" href="http://www.adbrite.com/mb/commerce/purchase_form.php?opid=sanitized&afsid=1" style="font-weight:bold;font-family:Arial;font-size:13px;">Your Ad Here</a></div>

It's loading a remote script from the Adbrite servers by writing to the DOM. The String.fromCharCode cleverly writes out the ASCII chars for <script> in order to reference the remote Javascript file.

My question is: why does this work? Don't browsers recognize this as a violation of the Same Origin Policy?

BTW, what prompted my investigation of this was the fact that I'm having trouble getting the URL params to be properly escaped and then un-escaped in GWT's UIBinder.

Thanks

Answer 1

Same origin policy applies to AJAX requests. Loading remote scripts is not governed by this rule, hence solutions like JSONP might exists.