Why don't I get a 'same origin policy' warning when using the Google Maps API?

javascript security rest google-maps cross-domain

Jordan Parmer · May 29, 2009 · Viewed 24.7k times · Source

I'm making a RESTful web service call in my JavaScript page and get the following warning:

"This page is accessing information that is not under its control. This poses a security risk. Do you want to continue?"

Now I've read up on this and am aware of the cross-domain, same origin policy. However, I don't get such warnings when I consume other APIs like Google's Maps API. Clearly the domain is not the same as my local domain. What is the difference?

My initial guess is that Google is 'imported' into the page using the <script> tag while my REST consumption is using XMLHttpRequest. IF that is the case, what is the difference between these two approaches that one would merit a warning and the other not?

Answer

The following might explain things: http://markmail.org/message/5wrphjwmo365pajy

Also, they employ some script hacks (e.g. inserting a script into the DOM to get requested data, instead of XHR).

Why don't I get a 'same origin policy' warning when using the Google Maps API?

Answer

Related questions