Same Origin Policy to Images and CSS
Website can embed images from any other website over the internet. Interesting thing to notice is, sites can't read the image data from other sites.
CSS
Same any website can load CSS from any other website. Almost every application use such method these days. But sites can't read the CSS data from other websites
Demo
- Open sitea.com
- Open Developer console
- Type
document.styleSheets
- You will notice css rules, media, type and many other things
- Now go to inspector tab and change the css URL inside head element to any other sites css.
- In my case I have pointed the href URL to siteb css file
- You will notice no rules, no media
- This way, if there is any sensitive data in css, sitea can not read that data from siteb