📌
Software Security
  • README
  • Prerequisites
    • Prerequisites
  • Introduction
    • Cyber security principles
    • Basic web concepts
      • HTTP
      • JavaScript
      • Cookies
      • SQL
      • DOM
      • APIs and the multitier architecture
    • Basic browser security concepts
      • Same-Origin Policy (SOP)
      • Cross-Origin Resource Sharing (CORS)
      • Cookies
      • Tracking
    • Basic security concepts
      • Hashing
  • Access Control: Basics
    • Authentication
      • Passwords
      • Password managers
      • Attacking passwords - online
      • Attacking passwords - offline
    • Authorization
      • Insecure direct object references
    • Session Management
    • CSRF
      • CSRF: why & how it works
      • Protecting against CSRF attacks
    • SSRF
      • SSRF: how it works and how we can protect against it
  • Access Control: Advanced
    • Authentication
      • Federation
      • Alternative authentication mechanisms
      • FIDO2 and WebAuthn
  • Injection attacks
    • Injection attacks
    • SQL Injection
    • Command Injection
    • Cross-site scripting
      • Input validation
      • Context sensitive output encoding
      • About the HttpOnly flag
      • Content Security Policy
    • Subresource integrity
    • Sandboxing
  • HTTPS
    • HTTPS
    • Introduction to cryptography
    • PKI
    • Setting up HTTPS
    • References
  • HTTP Headers for security
    • HTTP Headers
  • Threat Modeling
    • Threat modeling introduction
    • Threat modeling basics
    • Inspiration for threats
  • Bringing it all together
    • A comprehensive overview of controls
Powered by GitBook
On this page
  • Same-origin policy
  • What is cross-origin
  • Quick overview of what is allowed and disallowed by the SOP
  • Source attribution

Was this helpful?

  1. Introduction
  2. Basic browser security concepts

Same-Origin Policy (SOP)

PreviousBasic browser security conceptsNextCross-Origin Resource Sharing (CORS)

Last updated 2 years ago

Was this helpful?

Same-origin policy

The same-origin policy is a critical security mechanism that restricts how a document or script loaded from one origin can interact with a resource from another origin. It helps isolate potentially malicious documents, reducing possible attack vectors. However, since the web originally had no security boundaries built in, SOP was only added later. This sadly means that SOP does not apply to everything and thus makes it sometimes hard to understand. In what follows, an overview is given of which requests are subject to the SOP and which ones are not.

What is cross-origin

Web content's origin is defined by the scheme (protocol), host (domain), and port of the URL used to access it. Two objects have the same origin only when the scheme, host, and port all match. If one of these three elements is different, the call is considered cross origin.

For examples, see https://developer.mozilla.org/en-US/docs/Glossary/origin

Quick overview of what is allowed and disallowed by the SOP

  • Cross-origin writes are typically allowed. Examples are links, redirects, and form submissions. However, some HTTP requests do require .

  • Cross-origin embedding is typically allowed.

    • JavaScript with <script src="…"></script>. Error details for syntax errors are only available for same-origin scripts.

    • CSS applied with <link rel="stylesheet" href="…">.

    • Images displayed by <img>. In current browser designs, images loaded like this remain opaque to JavaScript running on the page and cannot trivially be read back by attackers.

    • Media played by <video> and <audio>.

    • Plugins embedded with <object>, <embed>, and <applet>.

    • Fonts applied with @font-face. Some browsers allow cross-origin fonts, others require same-origin.

    • Anything embedded by <frame> and <iframe>. Sites can use HTTP headers to prevent cross-origin framing (as we'll see later).

  • Cross-origin reads are typically disallowed, but read access is often leaked by embedding. For example, you can read the dimensions of an embedded image, the actions of an embedded script, or the availability of an embedded resource.

The SOP restriction can be lifted by using CORS.

Another excellent resource to learn about SOP is https://code.google.com/archive/p/browsersec/wikis/Part2.wiki#Same-origin_policy

Source attribution

Some parts of this page are based on and by Mozilla Contributors, which is licensed under .

preflight
Same-Origin Policy
Origin
CC-BY-SA 2.5