Same Origin Policy

From MgmtWiki
Revision as of 10:23, 21 November 2025 by Tom (talk | contribs) (Context)

Jump to: navigation, search

Meme

The Same Origin Policy (SOP) addresses key web security threats by preventing scripts from one origin from accessing data or resources from another origin. It protects against cross-site attacks like XSS, CSRF, and data theft.

The primary use has been as a Browser Origin Policy to provide solutions to some of the attacks against uses of Web Browsers.

Context

  1. Threats Mitigated by the Same-Origin Policy
    1. Cross-Site Scripting (XSS) Data Theft**
      1. Threat**: Malicious scripts injected into a trusted site could access sensitive data (cookies, localStorage, session info).
      2. SOP Defense**: Prevents scripts from reading data from other origins, even if embedded.
    2. Cross-Site Request Forgery (CSRF)**
      1. Threat**: An attacker tricks a user’s browser into sending authenticated requests to another site.
      2. SOP Defense**: Restricts cross-origin access to response data, making CSRF harder to exploit without additional vectors.
    3. Session Hijacking via Embedded Requests**
      1. Threat**: A malicious site embeds content from another origin and tries to read session-specific responses.
      2. SOP Defense**: Blocks JavaScript from accessing embedded content (e.g., iframes, images) from other origins.
    4. Credential Leakage**
      1. Threat**: Unauthorized access to cookies, tokens, or headers tied to another origin.
      2. SOP Defense**: Ensures that only scripts from the same origin can access these credentials.
    5. Unauthorized DOM Access**
      1. Threat**: Scripts from one origin manipulate or inspect the DOM of another origin (e.g., popup windows, iframes).
      2. SOP Defense**: Prevents cross-origin DOM access, preserving UI integrity and user privacy.
  2. How SOP Works
    1. Defines “origin” as the **scheme (protocol), host (domain), and port**.
    2. Two pages are same-origin only if all three match.
    3. SOP restricts:
      1. JavaScript access to cross-origin content.
      2. Reading response data from cross-origin requests.
      3. DOM manipulation across origins.

Weakening of the Same Origin

The first extension to the domain of a Same Origin Policy was to move from just the top level domain (like abc.def) to extensions for related sites.

Solution

The Same Origin Policy is a foundational browser security mechanism that blocks malicious cross-origin interactions. It protects users from **data theft, session hijacking, and unauthorized access**, making it essential for safe web browsing.

References

Retrieved from "http://tcwiki.azurewebsites.net/index.php?title=Same_Origin_Policy&oldid=25313"