Select correct statement(s)

A. JavaScript code of one origin can only access
the credentials, e.g., cookies belonging to that
origin
B. JavaScript source code in webpages is always visible e.g., in browsers
C. JavaScript code imported from an external domain, e.g., from attackers and executed in an origin can access the credentials, e.g., cookies belonging to that origin
D. A and B
E. A, B, and C