Why doesn’t a simple Http request to display a remote web page violate the Same Origin Policy?


On a w3schools page, I found that HTTP requests work like this:

  • A client (a browser) sends an HTTP request to the web
  • A web server receives the request, and runs an application to process it
  • The server returns an HTTP response (output) to the browser
  • The client (the browser) receives the response.

On the same page I found that an XMLHttpRequest works like this:

  • A browser creates an XMLHttpRequest object and sends it to the server
  • The server processes the request, creates a response and sends data back to the browser
  • The browser processes the returned data using JavaScript and updates the page content.

The above two processes appear pretty much the same to me. However, the latter one violates the Same Origin Policy (SOP) if the server runs on a remote domain. This question on stackoverflow about the url in the open() method says that

As we can only send requests to our own web server, I assume that we don’t have to rewrite the website’s name in the URL.

Applying the same logic to the first case (Http requests) would mean that I couldn’t open a web page if it is not on my own computer. Luckily, this is not the case.

So, why doesn’t an Http request to display a remote web page violate the SOP? What is the key point/difference here?

I assume it’s about the fact that the second process (XMLHttpRequest) is initiated from a script, while the first one is triggered by the user. However, isn’t the Http request sent from a script when I click a hyperlink on a web page? And how can a web server distinguish between requests coming from a script and coming from a user?