Cross-Site Script Inclusion

This policy keeps a malicious websites from being able to read sensitive data from other sites when a user is tricked into visiting them. A hacker's website can't include HTML from Facebook, for example, and scrape your profile if you visit their website.

hack-attempt.js

   /**
 * Attempt to access a user's profile page.
 */
fetch('https://www.facebooke.com/profile')
  .catch(err => {
     // The browser will cause this code to fail because the page
     // lives at a different origin. This prevents hackers scraping
     // data.
  }) 