↑Kemp, John (2011년 2월 4일). “Security on the Web”. 2018년 7월 24일에 확인함. The same-origin policy states that a document from one unique origin may only load resources from the origin from which the document was loaded. In particular this applies to XMLHttpRequest calls made from within a document. Images, CSS and dynamically-loaded scripts are not subject to same-origin policy.
↑“@font-face”. 《MDN Web Docs》 (미국 영어). 2018년 7월 24일에 확인함. Web fonts are subject to the same domain restriction (font files must be on the same domain as the page using them), unless HTTP access controls are used to relax this restriction.