The same-origin-policy is one of several models that web browsers use to determine which JavaScript files in a webpage should be executed. This is determined by the domain (the origin).
Questions tagged [same-origin-policy]
146 questions
159
votes
4 answers
Why is the same origin policy so important?
I can't really fully understand what same origin domain means. I know it means that when getting a resource from another domain (say a JS file) it will run from the context of the domain that serves it (like Google Analytics code), which means it…
YSY
- 2,229
- 4
- 20
- 16
60
votes
2 answers
Why do browsers enforce the same-origin security policy on iframes?
I did a small test on Chrome (V37) today. I created a small page and loaded it to the browser:
Untitled Document
Normal page
56
votes
2 answers
Why is the Access-Control-Allow-Origin header necessary?
I understand the purpose of the Access-Control-Allow-Credentials header, but can't see what problem the Access-Control-Allow-Origin header solves.
More precisely, it's easy to see how, if cross-domain AJAX requests with credentials were permitted by…
Mark Amery
- 1,777
- 2
- 13
- 19
46
votes
3 answers
Why don't browsers block cross-site POSTs by default?
Same-origin policy (SOP) makes browsers block scripting from one origin to mess with another, unless explicitly being told not to do so. But cross-site POSTs are still allowed, creating the vector for CSRF attacks. The defense is anti-forgery…
Andrada2
- 575
- 4
- 7
43
votes
7 answers
Will the same JavaScript fetched by HTTP and HTTPS be cached separately by the browser?
Say that a web server supports both HTTP and HTTPS. If a browser fetches the same JavaScript with a HTTP GET and a HTTPS GET, and the JavaScript is cache-able, will the browser cache two copies of the same JavaScript?
The reason I'm asking is that…
SamTest
- 675
- 5
- 10
28
votes
7 answers
How do hackers trick frontend validation?
I've always read: Put validations in the backend. Frontend validations are for UX, not security. This is because bad actors can trick frontend validation. But I'm having a hard time wrapping my head around how a bad actor could trick it.
I never…
Dashiell Rose Bark-Huss
- 407
- 1
- 3
- 6
21
votes
3 answers
What is the point of the same-domain rule for xmlhttprequest when script tags/JSONP can cross domains?
I get that I don't want a page loaded from stackoverflow.com to be able to request gmail.com on my behalf and read my email--but this seems to be simply a cookie issue.
Since JSONP bypasses same-origin entirely, I want to know why, instead of making…
XP84
- 311
- 2
- 4
19
votes
2 answers
Using iframes to sandbox untrusted code
I'm trying to create an extensible platform, where my site will provide a model and some views (both client-side, in the browser) and third party sites may add their own views as well. The goal here is that only my model will make HTTP requests to…
mgibsonbr
- 2,905
- 2
- 20
- 35
18
votes
2 answers
How is the lack of the "SameSite" cookie flag a risk?
Nowadays cookies can have HTTPOnly, Secure and SameSite flags. The purposes of HTTPOnly and Secure flags are pretty clear. But what does SameSite scripting prevent exactly and how?
Additionally, how would a scenario of successful "attacking" or…
Bob Ortiz
- 6,234
- 8
- 43
- 90
15
votes
1 answer
How are Ajax requests vulnerable to CSRF attacks if the Same-origin policy is applied?
What I know about CSRF is that a malicious website tricks a normal user into issuing a request to a trusted website using a form.
I understand that is possible because we can post forms to different domains. However, I see posts of Stackoverflow…
Songo
- 251
- 2
- 5
15
votes
4 answers
How does CSRF correlate with Same Origin Policy
I'm trying to understand what roles do CSRF and same origin play in the grand scheme of things. With CSRF, I'm able to pretty much do anything on other websites on clients by making requests.Same Origin Policy (SOP) preserves the data of other…
user1217974
- 159
- 1
- 1
- 3
15
votes
1 answer
cookie path protection within same domain
The answer to this question about how cookies are potentially vulnerable between sub-domains sparked my curiosity.
As far as I know, if a cookie is set on a sub-path of the same domain (www.example.com/dogs), then it is not accessible to any other…
Yoav Aner
- 5,299
- 3
- 24
- 37
14
votes
1 answer
How can I embed iframe securely without restricting its functionality?
I'd want to embed an iframe from untrusted site into web application. Iframe:
should be able to run Javascript and browser plugins (Flash, etc.)
should not be able to access my web application through Javascript
_self, _parent, _top links should…
Andrei Botalov
- 5,267
- 10
- 45
- 73
14
votes
3 answers
Do browsers allows pages loaded on one tab to access/intercept/inject data in other tabs?
I was surprised to hear from this Reuters video that it was possible for a page loaded on one tab to access and/or inject data onto another page loaded on a different tab.
TL;DW (too lazy; didn't watch) The interviewee in the video suggests that…
jairo
- 143
- 1
- 1
- 6
11
votes
2 answers
User-specific Subdomains : JavaScript security
If I provide a public-facing website for users on my website at their own subdomain (e.g. bob.myapp.com) under their own control, can I allow them to execute arbitrary JavaScript without putting my main app server at risk (e.g. myapp.com)? The…
Brandon