Same-origin Policy (SOP)
Last updated
Last updated
The Same-Origin Policy means that if the domain name, protocol, and port are the same, then it is considered to be the same origin. The Same-Origin Policy is a security measure implemented by browsers that dictates which website content can be accessed by JavaScript, thereby protecting the data on a website from being accessed by other websites.
Here is a simple example: Imagine we use a browser to log into website A. The first time we log in, we need to enter our username and password. For convenience during subsequent visits, we won't need to enter the username and password again, as the server will return a credential -- a Cookie. The browser will store this credential, and the next time we use this browser to visit website A, the site will ask the browser if it has the cookie. If it does, the login process will be skipped.
Note: The Cookie is only stored in the current browser. If you switch browsers, you will need to enter your username and password again.
The Same-Origin Policy applies to web browsers. Imagine if we didn't have the Same-Origin Policy, and a user named Xiao Hei logs into website A and then visits website B. Website B could read the cookie from website A and use this cookie to impersonate the user to log into website A.
Different protocol
Different domain
Different port
Do note that for localhost and 127.0.01 even both point to same host, but its different origin.
For example, consider the following URL:
http://normal-website.com/example/
Yes: same scheme, domain, and port
http://normal-website.com/example2/
Yes: same scheme, domain, and port
https://normal-website.com/example/
No: different scheme and port
http://en.normal-website.com/example/
No: different domain
http://www.normal-website.com/example/
No: different domain
http://normal-website.com:8080/example/
No: different port*
Resource from portswigger ^
1) What is SOP?
2) SOP is a mechanism from server or browser?
3) What are the 3 factor determine if 2 website is same origin?
4) Does 127.0.0.1 and localhost considered the same origin?
5) Does http://test.com/path1 and http://test.com/path2 consider the same origin?