5.1.3 Same Origin

Same Origin Policy (SOP)

One of the most crucial aspects of web application security is the Same Origin Policy (SOP), which prevents a script or document from accessing or modifying properties of another document from a different origin. Notably, CSS stylesheets, images, and scripts are exceptions, as browsers load them without consulting the SOP.

Origin Definition

The SOP considers three components when defining an origin:

  • Protocol (e.g., http)

  • Host (e.g., www.elsptp.site with the Top Level Domain as site, Second Level Domain as elsptp, and Third Level Domain as www)

  • Port (e.g., 80)

Examples illustrating SOP compliance:

  • http://els.ptp.site/admin/index.php → ✓ (Same protocol, host, and port)

  • https://els.ptp.site/index.php → ✗ (Different protocol)

  • http://els.ptp.site/index.php:8080 → ✗ (Different port)

  • http://www.els.ptp.site/index.php → ✗ (Different host)

Noteworthy: Internet Explorer deviates slightly from other browsers, not considering the port in SOP and exempting highly trusted zone domains from SOP application.

What Does SOP Protect From?

SOP safeguards against cross-origin requests initiated by client-side scripts, preventing potential security threats, such as capturing personal information.

How SOP Works

The SOP rule is simple: "A document can access the properties of another document through JavaScript only if they have the same origin." Browsers execute requests but return responses to the user only if SOP is respected. Images, stylesheets, and JavaScript files are exceptions, always accessible regardless of origin.

Examples

Example 1:

  • Document on domain a.elsptp.site attempts to access a page on domain b.elsptp.site via an Ajax request.

  • Result: Access denied due to different origins.

Example 2:

  • Two documents, main document (index.html) and iframe document (iframe.html), both on http://www.elsptp.site.

  • JavaScript interactions are successful due to the same origin.

  • If the iframe points to http://www.mybank.bank, JavaScript fails due to different origins.

These examples highlight how SOP sets boundaries for many client-side attacks.

Exceptions

Several exceptions exist to SOP restrictions:

  1. Window.location: Documents can write the location property of another document.

  2. Document.domain: Describes the domain part of the origin and can be changed within certain constraints.

  3. Cross-window messaging: Allows communication between different documents.

  4. Cross-Origin Resource Sharing (CORS): Permits access to resources by bypassing SOP, using custom HTTP headers.

Window.location

  • Documents can write the location property of another document, allowing for redirection.

  • Examples demonstrate how documents with relationships (e.g., iframes, window.open) can change each other's location.

Document.domain

  • The document.domain property describes the domain part of the origin and can be changed within certain constraints.

  • Example: Changing document.domain to a higher level in the domain hierarchy allows documents to have the same origin.

Cross Window Messaging

  • HTML5 introduces Cross Window Messaging, enabling communication between different documents.

Cross Origin Resource Sharing (CORS)

  • CORS allows browsers to access resources across different origins, bypassing SOP.

  • Detailed coverage of CORS is reserved for the HTML5 module.

Last updated