Difference between revisions of "Same Origin Policy"

From MgmtWiki
Jump to: navigation, search
(Meme)
(Context)
Line 29: Line 29:
 
### Reading response data from cross-origin requests.
 
### Reading response data from cross-origin requests.
 
### DOM manipulation across origins.
 
### DOM manipulation across origins.
 +
 +
==Weakening of the Same Origin==
 +
The first extension to the domain of a [[Same Origin Policy]] was to move from just the top level domain (like abc.def) to extensions for related sites.
  
 
==Solution==
 
==Solution==

Revision as of 10:23, 21 November 2025

Meme

The Same Origin Policy (SOP) addresses key web security threats by preventing scripts from one origin from accessing data or resources from another origin. It protects against cross-site attacks like XSS, CSRF, and data theft.

The primary use has been as a Browser Origin Policy to provide solutions to some of the attacks against uses of Web Browsers.

Context

  1. Threats Mitigated by the Same-Origin Policy
    1. Cross-Site Scripting (XSS) Data Theft**
      1. Threat**: Malicious scripts injected into a trusted site could access sensitive data (cookies, localStorage, session info).
      2. SOP Defense**: Prevents scripts from reading data from other origins, even if embedded.
    2. Cross-Site Request Forgery (CSRF)**
      1. Threat**: An attacker tricks a user’s browser into sending authenticated requests to another site.
      2. SOP Defense**: Restricts cross-origin access to response data, making CSRF harder to exploit without additional vectors.
    3. Session Hijacking via Embedded Requests**
      1. Threat**: A malicious site embeds content from another origin and tries to read session-specific responses.
      2. SOP Defense**: Blocks JavaScript from accessing embedded content (e.g., iframes, images) from other origins.
    4. Credential Leakage**
      1. Threat**: Unauthorized access to cookies, tokens, or headers tied to another origin.
      2. SOP Defense**: Ensures that only scripts from the same origin can access these credentials.
    5. Unauthorized DOM Access**
      1. Threat**: Scripts from one origin manipulate or inspect the DOM of another origin (e.g., popup windows, iframes).
      2. SOP Defense**: Prevents cross-origin DOM access, preserving UI integrity and user privacy.
  2. How SOP Works
    1. Defines “origin” as the **scheme (protocol), host (domain), and port**.
    2. Two pages are same-origin only if all three match.
    3. SOP restricts:
      1. JavaScript access to cross-origin content.
      2. Reading response data from cross-origin requests.
      3. DOM manipulation across origins.

Weakening of the Same Origin

The first extension to the domain of a Same Origin Policy was to move from just the top level domain (like abc.def) to extensions for related sites.

Solution

The Same Origin Policy is a foundational browser security mechanism that blocks malicious cross-origin interactions. It protects users from **data theft, session hijacking, and unauthorized access**, making it essential for safe web browsing.

References

Retrieved from "http://tcwiki.azurewebsites.net/index.php?title=Same_Origin_Policy&oldid=25313"