xss

content on a server is including Javascript content from an unrelated domain. When this script code is fetched by a user browser and loaded into the DOM, it will have complete control over the DOM, bypassing the protection offered by the same-origin policy. Even if the source of the script code is trusted by the website operator, malicious code could be introduced if the server is ever compromised. It is strongly recommended that sensitive applications host all included Javascript locally. This gives the operator of the server where the code originates control over the DOM, and the web application .