The same-origin-policy is one of several models that web browsers use to determine which JavaScript files in a webpage should be executed. This is determined by the domain (the origin).
Questions tagged [same-origin-policy]
146 questions
6
votes
1 answer
Does returning Access-Control-Allow-Origin: * weaken the security of JSON GET responses?
The W3C CORS recommendation states:
Certain types of resources should not attempt to specify
particular authorized origins, but instead either deny or allow
all origins.
...
3. A GET response whose entity body happens to parse as
…
Matt McClure
- 161
- 4
6
votes
5 answers
Why doesn't a simple HTTP request to display a remote web page violate the same-origin policy?
On a W3Schools page, I found that HTTP requests work like this:
A client (a browser) sends an HTTP request to the web
A web server receives the request, and runs an application to process it
The server returns an HTTP response (output) to the…
K. Gabor
- 81
- 1
- 4
6
votes
1 answer
Why was the Same-origin policy originally introduced (before XMLHttpRequest)?
As I understand it, the Same-origin policy (SOP) basically prevents a script in a web page from obtaining or sending information from/to a different domain.
I understand that this is important to prevent a page from grabbing private data and passing…
sleske
- 1,622
- 12
- 22
6
votes
2 answers
How do I correctly use CORS with OpenID Connect?
There seems to be a number of questions on several blogs, Q&A sites, and comments that ask variants of the question:
How do I correctly use CORS with OpenID Connect?
The context of these questions are usually applied to one of these roles:
The…
makerofthings7
- 50,090
- 54
- 250
- 536
5
votes
1 answer
SSO via HMAC and shared key. Can this be improved?
Given an authenticated user on A.com, we want to redirect the user to B.com so that she'll be immedaitely authenticated. The scheme I'm considering is very basic:
A.com and B.com both share key S.
On A.com, redirect the user to…
Steve Clay
- 195
- 1
- 7
5
votes
0 answers
Is Cross Site History Manipulation (XSHM) still relevant?
XSHM is a vulnerability which exploits the fact that the browser history object does not follow the Same Origin Policy and hence by tracking the changes made to this object we may be able to track a user's activities.
Most of the online references…
Shurmajee
- 7,285
- 5
- 27
- 59
5
votes
1 answer
Are restrictive same origin policies necessary?
The question is for the security community to resolve some misunderstandings here.
The crux:
Company (Wire) has a client (official-client.com) and a server code (e.g. official-server.com ).
CORS currently allow official-client.com to access…
mr.meer
- 53
- 3
5
votes
1 answer
XSS security concerns from untrusted parent domains
There's lots of discussion about protecting content on example.com from user controlled content on subdomain.example.com (e.g. Github pages). What are the risks the other way around?
If my content is hosted at subdomain.example.com, what attacks am…
Tim Perry
- 161
- 5
5
votes
1 answer
Would 'zero-knowledge' requests be an secure extension of SOP/CORS?
As far as I understand, the Same Origin Policy exists to prevent authenticated requests from other origins.
So when a bad guy builds an evil website which tries to hijack the active authentication of my customers in order to manipulate or steal data…
JepZ
- 151
- 2
5
votes
1 answer
When does the same-origin policy prevent a request from being sent?
I have been dealing with some confusions on the same-origin policy.
Let's say my attack looks like this. On page at evil.com the attacker has put (jQuery):
$.post('http://bank.com/transfer', { to: 'ciro', ammount: '100' })
The attacker then…
H4X
- 161
- 1
- 7
5
votes
3 answers
What purpose does Access-Control-Allow-Origin have?
I have a misunderstanding regarding CORS' Access-Control-Allow-Origin header.
It's name says "allow" from which I understand that if I make a request from an "Origin" that is not allowed the request should fail.
But I can always change /etc/hosts…
pepe
- 53
- 1
- 4
5
votes
1 answer
How does the same-origin-policy protect against PUT/DELETE CSRF?
I've read the OWASP guide for cross-site request forgery and it states that "other HTTP methods", such as PUT and DELETE could be theoretically used for CSRF.
However with the same-origin-policy these requests are not executed.
Why are PUT/DELETE…
boolean.is.null
- 255
- 1
- 7
5
votes
2 answers
Is same origin policy for web only useful because of cookies?
There is a same origin policy in the browser to ensure that e.g. bad site won't read your data from Facebook. But it seems that the only problem that it tries to solve is that cookies are automatically sent with the request which authenticates the…
Ilya Chernomordik
- 2,197
- 1
- 21
- 36
4
votes
4 answers
about CSRF on form submit
I'm surely missing something in the picture of how CSRF attacks and protections are working.
My understanding in a form-submit scenery is the protection rely on a unpredictable token, someway is assumed the attacker can't get the token, why?
If the…
Alex
- 151
- 1
- 5
4
votes
1 answer
Practical implications of 2014's android SOP vulnerability
For a project at university I have done research about all kinds of security issues, especially privacy-related ones, that have come up on mobile OS and applications over the last few years.
One of the most infamous breaches I read about seems to be…
zinfandel
- 1,233
- 8
- 10