You have automated ZAP to attack your site but then you see that there are other domains in the Sites Tree or in the report. Does this mean ZAP has attacked those other domains? No. ZAP will only attack the sites you specify. However, the AJAX Spider and the DOM XSS Scan Rule both launch browsers. We allow the browsers to access certain off domain resources such as JavaScript files - blocking these often breaks the target sites and mean the AJAX Spider or DOM XSS Scan Rule would not work.
