The same-origin-policy is one of several models that web browsers use to determine which JavaScript files in a webpage should be executed. This is determined by the domain (the origin).
Questions tagged [same-origin-policy]
146 questions
11
votes
1 answer
Why is a "tainted canvas" a risk?
I understand the concern about a tainted canvas - the idea that the bits of an image from another site can be sent back to a malicious server. But can you explain the details of how exactly this works?
Suppose the user visits nastysite.com and…
M Katz
- 213
- 1
- 6
10
votes
3 answers
Why doesn't the same origin policy block get requests that contain arguments?
From what I understand, the same origin policy prevents scripts in a web page from talking to servers outside of the present domain (using post, xmlhttprequest, etc). I assumed that get requests (with arguments) across domains would also be…
CountMurphy
- 211
- 2
- 7
10
votes
2 answers
What attacks are mitigated by requiring CORS for subresource integrity verification?
Can someone elaborate on the attacks alluded to in this paragraph from the W3C SubResource Integrity spec?
In order to mitigate an attacker’s ability to read data cross-origin by brute-forcing values via integrity checks, responses are only…
ssokolow
- 403
- 3
- 10
9
votes
3 answers
E-mail read receipt through XSS
I recently stumbled upon a really silly/unsafe but an interesting way to get a read receipt of an e-mail. I'm not 100% sure if the method in use works, which is why I'm asking it here.
G-mail does not have read-receipts. So, I got this e-mail from a…
sudhacker
- 4,260
- 5
- 23
- 34
9
votes
2 answers
How did the Facebook Originull vulnerablity of Access-Control-Allow-Origin: null allow cross-origin access?
Recently, a vulnerability in Facebook's messenger app which allowed attacks to access a users private messages via cross-origin AJAX was patched and disclosed.
Simple Bug allows Hackers to Read all your Private Facebook Messenger Chats
The root of…
Alexander O'Mara
- 8,774
- 6
- 34
- 38
9
votes
1 answer
Security about window.opener and iframes
I have 3 domains : domainA domainB domainC
If I set target="_blank" on domainA with a link to domainC, domainC can access a bunch of property of domainA. That's why I use target="_blank" rel="noopener noreferrer".
Otherwise, things like easier…
Xavier59
- 2,874
- 3
- 17
- 34
8
votes
4 answers
Same-origin policy for desktop application?
The same-origin policy is one of the most important security feature in our browser.
It basically provides sandboxing for our applications which is protecting our users.
Desktop application can read anything on your computer. If you install a…
Gudradain
- 6,921
- 2
- 26
- 43
8
votes
1 answer
Child iFrame hash verification of parent iFrame content
Consider the following scenario:
Alice wishes to browse Victor's website while on the job at Initech. Victor's website is hosted on an alternative domain name system to which Initech's DNS does not peer. Eve (wishing to facilitate the free and…
Indolering
- 852
- 6
- 21
8
votes
2 answers
Best practices for integrating external javascript?
I'm looking for some standard pieces of advice on how to integrate external JavaScript into a website. For example, on mywebsite.com:
The thing is: if externalsite.com gets hacked,…
Choumarin
- 181
- 3
8
votes
1 answer
Alternative to anti-CSRF tokens for AJAX request (Same Origin Policy)
I'm working on a PHP website based entirely on AJAX (via jQuery). It's a single page in which all requests are made by AJAX.
Related to the protection against CSRF I have encountered the problem of having to manually include the token on every…
cooper
- 183
- 1
- 4
7
votes
1 answer
Why CSRF's JS can't read token by GETting html
1) User is logged in bank.com in one tab, where everything is secured by CSRF tokens. Then he opens evil.com in another tab.
2) Javascript in evil.com might try to make a POST request to bank.com/send_money only if it knew csrf_token.
3) In order…
user3702861
- 419
- 1
- 4
- 8
7
votes
1 answer
Same-origin policy for file: URLs in Android browser?
When you load a file:// URL in an Android WebView or in the Android browser, what does it treat as the origin? What can the Javascript on that page access? Can it access other files in the same directory? Other files elsewhere on the…
D.W.
- 98,420
- 30
- 267
- 572
7
votes
4 answers
How come ![]()
calls do not violate the Same Origin Policy?
I'm a bit confused regarding the subject of Same Origin Policy (SOP). If I understand correctly, the purpose of the SOP is to prevent one page from obtaining access to sensitive data on another web page.
So for example, how come I can simply get a…
Eric Peers
- 71
- 1
- 2
6
votes
3 answers
Same Origin Policy - XHR response
I know that Same Origin Policy (SOP) prevents a page/script from one origin to read response from another origin, but it does not prevents the page/script from making a XMLHttpRequest (XHR) request to a different origin. From Mozilla's Developer…
NeverStopLearning
- 53
- 11
6
votes
1 answer
Why is a child window allowed to change the location of its parent?
Maybe a silly question. When opening a new tab via target="_blank", the page that loads in that tab is allowed to set a new location in the parent tab using:
window.opener.location.replace('http://www.google.com');
Does this not violate the…
mart1n
- 345
- 2
- 12