Interview Bank
  • Interview Bank
  • Web
    • Persistent Connection and Non Persistent
    • CDN
    • Code Review
    • JWT
      • JWT vs Session Based Authentication
      • JWT Challenge
      • JWE
      • JWS
    • Content Security Policy (CSP)
    • Same-origin Policy (SOP)
    • Cross-Origin Resource Sharing (CORS)
      • Exploiting CORS
    • HTTP Strict Transport Security (HSTS)
    • SQL Injection (SQLi)
    • Password Encryption in Login APIs
    • API Security
      • API Principles
    • Simple bypass PHP
    • Server-side Template Injection (SSTI)
    • Javascript Object and Inheritance
    • HTTP/2
    • Cookie vs Local vs session Storage
    • XML External Entity (XXE)
    • What happened when enter domain name in browser
    • Prototype Pollution - Part 1
    • Prototype Pollution - Part 2
    • Nginx vs Apache
  • OT Security
    • Securing Operational Technology: Understanding OT Security
  • Quantum Computing
    • Quantum Computing: Unveiling the Cryptographic Paradigm Shift
    • Quantum Obfuscation: Shielding Code in the Quantum Era
  • DevSecOps
    • Continuous Integration/Continuous Deployment Pipeline Security
    • Chaos Engineering Overview
      • Security Chaos Engineering
    • Mysql VS redis
    • Kubernetes (k8s)
    • How MySQL executes query
    • REDIS
    • Difference between cache and buffer
  • Windows
    • Pentesting Active Directory - Active Directory 101
    • Pentesting Active Directory - Kerberos (Part 1)
    • Pentesting Active Directory - Kerberos (Part 2)
    • AD vs Kerberos vs LDAP
    • Active Directory Certificate Services Part 1
    • Unconstrained Delegation
    • AS-REP Roasting
    • NTLM Relay via SMB
    • LLMRN
    • Windows lateral movement
    • Constrained Delegation
    • Resource-Based Constrained Delegation
  • UNIX
    • Setuid
  • Large Language Models (LLMs)
    • Tokens
    • LangChain
    • Integration and Security
  • Android
    • Keystore
  • Red team development
    • Secure C2 Infrastructure
    • P Invoke in c#
    • D Invoke
  • Blue Team
    • Indicators of Compromise
    • Methods to prevent Email domain spoofing
    • Windows Prefetching
  • CVE
    • XZ Outbreak CVE-2024-3094
    • Log4J Vulnerability (CVE-2021-44228)
    • SolarWinds Hack (CVE-2020-10148)
    • PHP CGI RCE (CVE-2024-4577)
    • Windows Recall
  • Software Architecture
    • Microservices
    • KVM
  • Docker
    • Overview
    • Daemon Socket
    • Tips to reduce docker size
  • Blockchain
    • Overview
    • Smart Contract
  • Business Acumen
    • Market Research Reports and Perception
    • Understanding Acquisitions
    • Cybersecurity as a Business Strategy
  • Cyber Teams
    • Introduction to Purple Teaming
  • Malware
    • Dynamic Sandbox Limitations
Powered by GitBook
On this page
  • Introduction
  • How to check if same origin
  • Protocol
  • Domain
  • Port
  • Example questions
  • Interview question
  • Author
  1. Web

Same-origin Policy (SOP)

PreviousContent Security Policy (CSP)NextCross-Origin Resource Sharing (CORS)

Last updated 11 months ago

Introduction

The Same-Origin Policy means that if the domain name, protocol, and port are the same, then it is considered to be the same origin. The Same-Origin Policy is a security measure implemented by browsers that dictates which website content can be accessed by JavaScript, thereby protecting the data on a website from being accessed by other websites.

Here is a simple example: Imagine we use a browser to log into website A. The first time we log in, we need to enter our username and password. For convenience during subsequent visits, we won't need to enter the username and password again, as the server will return a credential -- a Cookie. The browser will store this credential, and the next time we use this browser to visit website A, the site will ask the browser if it has the cookie. If it does, the login process will be skipped.

Note: The Cookie is only stored in the current browser. If you switch browsers, you will need to enter your username and password again.

The Same-Origin Policy applies to web browsers. Imagine if we didn't have the Same-Origin Policy, and a user named Xiao Hei logs into website A and then visits website B. Website B could read the cookie from website A and use this cookie to impersonate the user to log into website A.

How to check if same origin

Protocol

Different protocol

http://example.com
https://example.com
ftp://example.com

Domain

Different domain

http://example.com
http://test.example.com <-- subdomain also consisted different 
http://test.com

Port

Different port

http://example.com
https://example.com <-- port 443
http://example.com:8080

Do note that for localhost and 127.0.01 even both point to same host, but its different origin.

Example questions

For example, consider the following URL:

http://normal-website.com/example/example.html
URL accessed
Access permitted?

http://normal-website.com/example/

Yes: same scheme, domain, and port

http://normal-website.com/example2/

Yes: same scheme, domain, and port

https://normal-website.com/example/

No: different scheme and port

http://en.normal-website.com/example/

No: different domain

http://www.normal-website.com/example/

No: different domain

http://normal-website.com:8080/example/

No: different port*

Resource from portswigger ^

Interview question

1) What is SOP?

2) SOP is a mechanism from server or browser?

3) What are the 3 factor determine if 2 website is same origin?

4) Does 127.0.0.1 and localhost considered the same origin?

5) Does http://test.com/path1 and http://test.com/path2 consider the same origin?

Author

  • Chen Xing