I guess Same-Origin Policy don't apply to HttpRequest, since on any web page, I can get resource from other domain like below:
<img src="http://anotherDomain.com/pic.jpg">
So, is Same-Origin Policy is only for XMLHttpRequest? And XMLHttpRequest can only be sent by Ajax running from a browser?
The important principle to understand about same-origin policy is that,
[it] prevents a malicious script on one page from obtaining access to sensitive data on another web page through that page's Document Object Model.
as stated here. In other words, script execution in any form on the browser side (including images loaded from foreign origin to be used in a canvas) should adhere to this policy to prevent the potential of compromising client data (such as cookies) confidentiality or integrity.
So, is Same-Origin Policy only for XMLHttpRequest?
In addition to XMLHttpRequest, it is also applicable to other client-side web technologies such as silverlight, flash, java applet, google gears etc., as stated here.
And XMLHttpRequest can only be sent by Ajax running from a browser?
XMLHttpRequest is essentially a javascript object. So anything that can execute javascript can be used to send a XMLHttpRequest.
The Same Origin Policy applies to everything that makes the content from another origin available to JavaScript.
The response for an HTTP request is one such an example. Getting image data for use in a canvas is another.
Simply displaying content from another origin directly in a page is fine, since it can't be passed on by the scripts in the page.
