Difference between revisions of "Same Origin Policy"

From MgmtWiki
Jump to: navigation, search
(Solution)
(Meme)
Line 1: Line 1:
 
==Meme==
 
==Meme==
 
The [[Same Origin Policy]] (SOP) addresses key web security threats by preventing scripts from one origin from accessing data or resources from another origin. It protects against cross-site attacks like XSS, CSRF, and data theft.
 
The [[Same Origin Policy]] (SOP) addresses key web security threats by preventing scripts from one origin from accessing data or resources from another origin. It protects against cross-site attacks like XSS, CSRF, and data theft.
 +
 +
The primary use has been as a [[Browser Origin Policy]] to provide solutions to some of the attacks against uses of Web Browsers.
  
 
==Context==
 
==Context==

Revision as of 10:19, 21 November 2025

Meme

The Same Origin Policy (SOP) addresses key web security threats by preventing scripts from one origin from accessing data or resources from another origin. It protects against cross-site attacks like XSS, CSRF, and data theft.

The primary use has been as a Browser Origin Policy to provide solutions to some of the attacks against uses of Web Browsers.

Context

  1. Threats Mitigated by the Same-Origin Policy
    1. Cross-Site Scripting (XSS) Data Theft**
      1. Threat**: Malicious scripts injected into a trusted site could access sensitive data (cookies, localStorage, session info).
      2. SOP Defense**: Prevents scripts from reading data from other origins, even if embedded.
    2. Cross-Site Request Forgery (CSRF)**
      1. Threat**: An attacker tricks a user’s browser into sending authenticated requests to another site.
      2. SOP Defense**: Restricts cross-origin access to response data, making CSRF harder to exploit without additional vectors.
    3. Session Hijacking via Embedded Requests**
      1. Threat**: A malicious site embeds content from another origin and tries to read session-specific responses.
      2. SOP Defense**: Blocks JavaScript from accessing embedded content (e.g., iframes, images) from other origins.
    4. Credential Leakage**
      1. Threat**: Unauthorized access to cookies, tokens, or headers tied to another origin.
      2. SOP Defense**: Ensures that only scripts from the same origin can access these credentials.
    5. Unauthorized DOM Access**
      1. Threat**: Scripts from one origin manipulate or inspect the DOM of another origin (e.g., popup windows, iframes).
      2. SOP Defense**: Prevents cross-origin DOM access, preserving UI integrity and user privacy.
  2. How SOP Works
    1. Defines “origin” as the **scheme (protocol), host (domain), and port**.
    2. Two pages are same-origin only if all three match.
    3. SOP restricts:
      1. JavaScript access to cross-origin content.
      2. Reading response data from cross-origin requests.
      3. DOM manipulation across origins.

Solution

The Same Origin Policy is a foundational browser security mechanism that blocks malicious cross-origin interactions. It protects users from **data theft, session hijacking, and unauthorized access**, making it essential for safe web browsing.

References

Retrieved from "http://tcwiki.azurewebsites.net/index.php?title=Same_Origin_Policy&oldid=25312"