Cross-Site Script Inclusion

This policy keeps a malicious websites from being able to read sensitive data from other sites when a user is tricked into visiting them. A hacker's website can't include HTML from Facebook, for example, and scrape your profile if you visit their website.

hack-attempt.js
 /**
 * Attempt to access a user's profile page.
 */
fetch('https://www.facebooke.com/profile').catch((err) => {
  // The browser will cause this code to fail because the page
  // lives at a different origin. This prevents hackers scraping
  // data.
});