Web
same origin policy

What is Same-Origin Policy(SOP)?

same-origin policy (SOP) is a security rule enforced by browsers which handles the data access between website or web Applications.

What it is not?

SOP is not an Internet standard or a fixed rule but rather a general browser security policy. It is interpreted differently by different browsers. It also works differently for different technologies.However, the general idea remains the same: to help make sure that there is not unauthorized cross-site access.

Why we need this ?

Without SOP, any web page would be able to access the DOM of other pages. This would let it access potentially sensitive data from another web page as well as perform actions on other web pages without user consent also isolate potentially malicious documents, reducing possible attack vectors.

What is the Origin?

In most cases, the origin is a combination of three elements: the schema (protocol), the hostname (domain/subdomain), and the port. identified by schema:hostname/anything:port

http://store.company.com/dir2/other.htmlSame originOnly the path differs
http://store.company.com/dir/inner/another.htmlSame originOnly the path differs
https://store.company.com/page.htmlFailureDifferent protocol
http://store.company.com:81/dir/page.htmlFailureDifferent port (http:// is port 80 by default)
http://news.company.com/dir/page.htmlFailureDifferent host
source : https://developer.mozilla.org

what are Trust zones?

If both domains are in the highly trusted zone (e.g. corporate intranet domains), then the same-origin limitations are not applied.

When is Same Origin Policy(sop) Apply

Origin checks are applied by the browser in every case of potential interaction between elements from different origins. This includes, but is not limited to:

  • JavaScript code and the Document Object Model (DOM), for example, a page cannot access the content of its iframe unless they are of the same origin.
  • Cookies, for example, your session cookie for a particular site cannot be sent to a page with a different origin. However, in the case of cookies, schema and port are not evaluated, only the domain/subdomain.
  • AJAX calls (XmlHTTPRequest).

what if you need to share resources between origins?

Cross origin resource sharing (CORS) is an HTTP mechanism that used http headers to define origin permissions.

Same-Origin Policy on its own increases security but is not enough to prevent all Cross-Site Request Forgery (CSRF) attacks

Leave a Reply

Your email address will not be published. Required fields are marked *