Same Origin Policy

Page content


  • SOP restricts how a document or script loaded from one origin can interact with resource from another origin (cross domain traffic)

  • Implemented in the Browser

  • Policies are applied in the Background without User interaction required

  • Restrict access to:

    • DOM
    • Cookies
    • WebStorage
      • Local Storage
      • Session Storage
    • IndexedDB
  • Restrict Components

    • Javascript API
    • XMLhttpRequest (XHR), Fetch API
    • Flash (t 2020)
    • … Applets, Silverlight, XDomainRequest

How it Works

SOP = Protocol = https = Hostname = = Port = 443

The Browser confirms that these Parameters are valid / same and so, it’s allow to get additional Ressources from the Bank Website.

(all these active Components running in the Browser)

  • JavaScript
  • ActiveX
  • Flash
  • Applet

SOP was strict earlier days and it was not allowed to Bypass the SOP. Today, there are some possibilities given to bypass and allow certain applications to include for Example Google Maps into the Pizza Jolo Website.

The customer wants to track realtime if his Pizza is on the way

V1: Bypass SOP

add script with foreign Domain. It’s risky as we allow all Scripts to run from google controlling our Webservice.

V2: JSONP (JSON with Padding)

JavaScript Object Notation with Callback Funktion. Google/Gmail was hacked due to this JSONP. It’s a security Risk and it lost reputuation recently. -> Follow Up with another Session

V3: CORS (Cross Origin Ressource Sharing)

it’s complex and we’ll get another session just for this stuff.

Browser send a Origin Head and get’s AccessControlOriginHeader back. The Browser decides if JS is allowed to access this Ressource or not.

null Origin

with iframe, dangerous

Web Sockets

exist since HTML5

ws:// does not integrate with SOP! So, you may can bypass stuff

sha256: c148c4a71fb0be9fe495856e8f92eab204418f35508cfc82243f811cd41c42f3