Same Origin Policy (SOP)
Same-Origin Policy (SOP) is a fundamental security mechanism in web browsers that restricts how resources and data can be shared across different origins. It ensures that web pages from one origin cannot access data or execute scripts from another origin without explicit permission.
1. What Is an Origin?
An origin is defined as a combination of the following components:
- Protocol: The scheme (e.g., http, https).
- Host: The domain name (e.g., example.com).
- Port: The port number (e.g., 80, 443).
Example:
If any of the components differ, the origin is considered different.
2. What Does Same-Origin Policy Restrict?
By default, SOP prevents scripts from accessing or interacting with resources across different origins. Common restrictions include:
a. Cross-Origin Requests
- JavaScript on one origin cannot make requests to a different origin and read the response.
- Example:- A script from https://example.com cannot fetch data from https://api.otherdomain.com.
 
b. DOM (Document Object Model) Access
- Scripts on one origin cannot interact with the DOM of a document from another origin.
- Example:- A page on https://example.com cannot manipulate or read the DOM of https://sub.example.com.
 
c. Cookies and Storage
- Cookies, localStorage, and sessionStorage are scoped to an origin and cannot be accessed by other origins.
3. Why Is SOP Important?
The Same-Origin Policy prevents malicious websites from performing unauthorized actions or stealing sensitive data from other origins. This is particularly crucial for:
- Preventing Cross-Site Scripting (XSS)- SOP ensures that scripts from one origin cannot interact with sensitive data on another origin.
 
- Mitigating Cross-Site Request Forgery (CSRF)- While SOP does not fully prevent CSRF, it limits the ability of malicious scripts to access responses from other origins.
 
- Protecting User Data- Ensures that sensitive resources like cookies, tokens, and credentials are accessible only to the intended origin.
 
4. Exceptions to Same-Origin Policy
In some cases, SOP restrictions can be intentionally relaxed:
a. Cross-Origin Resource Sharing (CORS)
- Definition: A mechanism that allows servers to specify which origins are permitted to access their resources.
- Example:- A server at https://api.otherdomain.com adds the following HTTP header:Access-Control-Allow-Origin: https://example.com
 
- A server at https://api.otherdomain.com adds the following HTTP header:
- This allows https://example.com to access the server’s resources.
b. JSONP
- A legacy technique for making cross-origin requests by embedding scripts in the document.
- Example:- Loading a script from https://api.otherdomain.com that returns JSON wrapped in a function call:<script src="https://api.otherdomain.com/data?callback=handleData"></script>
 
- Loading a script from https://api.otherdomain.com that returns JSON wrapped in a function call:
c. Window and Frame Communication
- Pages can communicate using postMessage to exchange data safely across origins.
- Example:targetWindow.postMessage('Hello, other origin!', 'https://otherdomain.com');
d. Proxy Servers
- Servers act as intermediaries to fetch resources from different origins, bypassing SOP.
e. Relaxed Policies for Certain Tags
- <img>, <script>, <iframe>, and <link> tags can fetch resources from other origins but cannot access the content directly.
5. Common Challenges with SOP
a. Legitimate Cross-Origin Requests
- Modern applications, especially Single-Page Applications (SPAs), often require interaction with APIs hosted on different origins.
b. Workarounds by Attackers
- Exploiting insecure CORS configurations or CSRF vulnerabilities to bypass SOP restrictions.
6. Mitigating SOP Exploitation
- Secure CORS Implementation- Allow only trusted origins in Access-Control-Allow-Origin.
- Avoid using * as a wildcard for origins.
 
- Use Secure Cookies- Mark cookies as HttpOnly and Secure to prevent unauthorized access.
- Use the SameSite attribute to mitigate CSRF risks.
 
- Validate Cross-Origin Communication- Use postMessage carefully by validating the sender’s origin.
 
- Content Security Policy (CSP)- Enforce strict resource loading policies to reduce the risk of malicious scripts.
 
7. Summary
| Aspect | Details | 
|---|---|
| Definition | A security mechanism restricting cross-origin interactions in browsers. | 
| Scope | Limits DOM access, cross-origin requests, and resource sharing. | 
| Purpose | Prevent unauthorized data access and protect user data. | 
| Exceptions | CORS, JSONP, postMessage, proxy servers, and resource-specific policies. | 
| Best Practices | Secure CORS policies, validate origins, enforce HttpOnly cookies. | 
The Same-Origin Policy is a cornerstone of web security, preventing unauthorized interactions between different origins. While necessary for securing web applications, exceptions like CORS must be configured carefully to balance functionality and security. Understanding and adhering to SOP principles is essential for protecting both users and applications from cross-origin attacks.
'Security Terms > Web Application' 카테고리의 다른 글
| Cookies (0) | 2025.01.22 | 
|---|---|
| HTTP Public Key Pinning (HPKP) (0) | 2025.01.22 | 
| Certificate Transparency (CT) (0) | 2025.01.22 | 
| HSTS (HTTP Strict Transport Security) (0) | 2025.01.21 | 
| CORS (Cross-Origin Resource Sharing) (0) | 2025.01.21 |