Same Origin Policy (SOP)

Same Origin Policy is a browser protection mechanism which prevents website of cross origins from reading other origin's resources through javascript.

Cross Origin Reads using fetch(), XMLHttpRequest & related API's are restricted by SOP. I.E, Javascript running on one origin cannot read network response or DOM of another origin.

Note:

  1. The request to another cross origin will be made(even including cookies - again, depending on how the samesite cookie's are set in cross origin website), only response cannot be read due to SOP. Hence, SOP doesn't prevent from CSRF attacks.

  2. Some of legacy javascript api's can access cross origin objects for backward compatibility, You can read about them here. These javascript's are typically exploited in XS-Leaks attacks.

SOP may allow -

  1. Cross Origin Writes - Forms, redirects etc

  2. Cross Origin Embeds - IFrame, Embed, Video, Image, Object, Script, Link(Stylesheets) etc

References -

  1. https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy

  2. https://portswigger.net/web-security/cors/same-origin-policy

  3. https://www.youtube.com/watch?v=bSJm8-zJTzQ&t=638s&pp=ygUfc2FtZSBvcmlnbiBwb2xpY3kgbGl2ZSBvdmVyZmxvdw%3D%3D

PreviousBrowser Security FeaturesNextCross Origin Resource Sharing (CORS)

Last updated