Actually, it only makes sense as it works right now. When you are a developer on host A and decide to include a script, then you have already figured out that script is safe to include, so no bookkeeping is necessary. If a hacker has gained access to host A they can run any code they want, so there is no reason to prevent inclusion of scripts from host B. However, the developer of host B might have designed their resource so that it provides privileged user data based on a cookie. If it can be loaded into the page of host A it would give the developer (or hacker) of host A access to the privileged info of all users that frequent host B. This is why the developer of host B must explicitly publish a resource for inclusion on foreign pages.
