Trusted answers to developer questions
Trusted Answers to Developer Questions

Related Tags

security
browsers

What is the Same Origin Policy?

Educative Answers Team

Grokking Modern System Design Interview for Engineers & Managers

Ace your System Design Interview and take your career to the next level. Learn to handle the design of applications like Netflix, Quora, Facebook, Uber, and many more in a 45-min interview. Learn the RESHADED framework for architecting web-scale applications by determining requirements, constraints, and assumptions before diving into a step-by-step design process.

The Same Origin Policy (SOP) is a browser security policy enforced by a web browser that regulates the data flow between websites and web applications. It prevents webpages from being able to access the DOM of other webpages. The main goal is to avoid unauthorized cross-site access.

What does Origin mean in SOP?

Origin comprises the protocol, the hostname (and the subdomain), and the port. It implies that a resource with the same protocol:hostname: port has to have the same origin. Let’s consider an example:

The policies are applied when there is an interaction between elements from different origins, such as:

  • Cookies- session cookies for a particular website cannot be sent to another website. These cookies only depend on the hostname, not the port and the protocol.
  • AJAX calls
  • JS and DOM. Pages cannot access the content of its iframe unless they are from the same browser

Importance

The same-origin policy prevents others from reading user data through the use of cookies, etc. When an HTTP request is sent, any cookie associated with the session id is also sent.

The cookies contain authentication information as well. It produces an HTTP response specific to the user that may contain sensitive information. Therefore, even if you visit a malicious webpage, and they have iframes included that take data from Facebook, they will not be able to read your response and steal your personal information.

The SOP, however, allows exceptions when the act does not pose a security threat to the user, such as using iframe containing images, CSS, or script from another site. This is called cross-origin loading of pages.

Even though a page can load these external resources, the JavaScript cannot access the contents of them.

RELATED TAGS

security
browsers
Copyright ©2022 Educative, Inc. All rights reserved

Grokking Modern System Design Interview for Engineers & Managers

Ace your System Design Interview and take your career to the next level. Learn to handle the design of applications like Netflix, Quora, Facebook, Uber, and many more in a 45-min interview. Learn the RESHADED framework for architecting web-scale applications by determining requirements, constraints, and assumptions before diving into a step-by-step design process.

Keep Exploring