Also, the scripts executed in a website that's protected by the same-origin policy are under restrictions. So, a request generated by the script follows the same rules. If we want to execute a request using JavaScript to avoid the same-origin policy, you need to force the script to execute it in order to comply with the rule and execute the request in the script, for example:
function( const Http = new XMLHttpRequest(); const url='https://jsonplaceholder.typicode.com/posts'; Http.open("GET", url); Http.send(); Http.onreadystatechange=(e)=>{ console.log(Http.responseText) } ); <script> function function(message) { alert(message); } </script> <script src="http://testsite.com/file.aspx"> </script>
In the preceding example, we are including the request in a JavaScript function. When the JavaScript function is loaded by the website, the code is also included, and executed as part of the same domain.