Same Origin Policy

From MgmtWiki
Revision as of 10:04, 21 November 2025 by Tom (talk | contribs) (Meme)

Jump to: navigation, search

Meme

The Same Origin Policy (SOP) addresses key web security threats by preventing scripts from one origin from accessing data or resources from another origin. It protects against cross-site attacks like XSS, CSRF, and data theft.

Context

  1. Threats Mitigated by the Same-Origin Policy
      1. 1. **Cross-Site Scripting (XSS) Data Theft**

- **Threat**: Malicious scripts injected into a trusted site could access sensitive data (cookies, localStorage, session info). - **SOP Defense**: Prevents scripts from reading data from other origins, even if embedded.

      1. 2. **Cross-Site Request Forgery (CSRF)**

- **Threat**: An attacker tricks a user’s browser into sending authenticated requests to another site. - **SOP Defense**: Restricts cross-origin access to response data, making CSRF harder to exploit without additional vectors.

      1. 3. **Session Hijacking via Embedded Requests**

- **Threat**: A malicious site embeds content from another origin and tries to read session-specific responses. - **SOP Defense**: Blocks JavaScript from accessing embedded content (e.g., iframes, images) from other origins.

      1. 4. **Credential Leakage**

- **Threat**: Unauthorized access to cookies, tokens, or headers tied to another origin. - **SOP Defense**: Ensures that only scripts from the same origin can access these credentials.

      1. 5. **Unauthorized DOM Access**

- **Threat**: Scripts from one origin manipulate or inspect the DOM of another origin (e.g., popup windows, iframes). - **SOP Defense**: Prevents cross-origin DOM access, preserving UI integrity and user privacy.

---

  1. How SOP Works

- Defines “origin” as the **scheme (protocol), host (domain), and port**. - Two pages are same-origin only if all three match. - SOP restricts: 

 - JavaScript access to cross-origin content.
 - Reading response data from cross-origin requests.
 - DOM manipulation across origins.

Solution

The Same-Origin Policy is a **foundational browser security mechanism** that blocks malicious cross-origin interactions. It protects users from **data theft, session hijacking, and unauthorized access**, making it essential for safe web browsing.

References

Retrieved from "http://tcwiki.azurewebsites.net/index.php?title=Same_Origin_Policy&oldid=25307"