Same-origin policy is a security mechanism that restricts how a resource loaded from one origin can interact with a resource from another origin. It can reduce attack vectors by isolating potentially malicious documents.

What is Origin?

Two URLs have the same origin if the scheme/host/port tuple are the same for both of them.

Example:

http://www.example.com

• http://www.example.com/dir2/other.html --> Same origin (Only the path differs)
• https://www.example.com/ --> Failure (Different protocol)
• http://www.example.com:81 --> Failure (Different port)
• http://test.example.com --> Failure (Different host)

Security Applications

The same-origin policy aims to protect web applications that use authenticated sessions. Let's say a victim is using a bank website and does not log out. The user visits another page containing malicious JavaScript that requests data from the bank site. The user is still logged in the bank, so the attacker code could do anything in the bank site. This is possible because the browser can send and receive session cookies to the bank based on the domain of the bank site.

Sources

• https://en.wikipedia.org/wiki/Same-origin_policy
• https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy