Same Origin Policy: Why can’t JS code make an HTTP request to its domain?


I have a site This site uses a third-party JS code: <script src=""></script>

The contains the following code:

console.log("self.origin", self.origin);

When I open, I get the following output in dev console:


Access to fetch at '' from origin '' has been blocked by CORS policy: No 'Access-Control-Allow-Origin' header is present on the requested resource. If an opaque response serves your needs, set the request's mode to 'no-cors' to fetch the resource with CORS disabled.

The third party script tried to load data from the third-party API, but it failed. Why did it fail?

The third party script and API have the same domain name (origin). Should it be allowed by Same Origin Policy?


The origin is determined by the URL of the webpage the JavaScript is loaded into, not the URL of the JS file itself.