O'Reilly logo
  • Gary Hataway thinks this is interesting:

If the server at the other end returns a header that contains the origin of the domain from which the script is being loaded, then the browser will trust the server and will allow a cross-site request to be made:


Cover of Building Microservices with Go


Not the script, but the html containing the script?. When I tried downloading the just script used to access the microservice, it failed because it still said the ORIGIN was the server for the html.