Cross Site Script Inclusion (XSSI)

While browsers prevent pages from one domain reading pages from a different domain, they do not prevent pages from one domain referencing resources in a different domain. This means that pictures can be rendered and scripts can be ran from other domains. The problem with this is that the included scripts do not have their own security context, rather it runs in the security context of the page that included it.