I have a very simple question. Why and how is the same origin policy exempted for things like scripts, links img ?
I believe scripts and links are loaded using GET in a similar manner as calling a server API. So what is the difference. Why exempting this policy in these tags can't harm us.
I found this (Why is the HTML SCRIPT tag not subject to the same origin policy) only question on SO, which doesn't have satisfying answers and not even an accepted answer.
Sending a GET request (even with cookies) is not harmful; GET requests are not supposed to have any side-effects.
None of these tags allow the calling page to (directly) read responses, so they don't leak information.
Therefore, there is (almost) nothing wrong with allow it.