SOP restricts how a document or script loaded from one origin can interact with resource from another origin (cross domain traffic)
Implemented in the Browser
Policies are applied in the Background without User interaction required
Restrict access to:
- Local Storage
- Session Storage
- XMLhttpRequest (XHR), Fetch API
- Flash (t 2020)
- … Applets, Silverlight, XDomainRequest
How it Works
SOP = Protocol = https = Hostname = www.bank.ch = Port = 443
The Browser confirms that these Parameters are valid / same and so, it’s allow to get additional Ressources from the Bank Website.
(all these active Components running in the Browser)
SOP was strict earlier days and it was not allowed to Bypass the SOP. Today, there are some possibilities given to bypass and allow certain applications to include for Example Google Maps into the Pizza Jolo Website.
The customer wants to track realtime if his Pizza is on the way
V1: Bypass SOP
add script with foreign Domain. It’s risky as we allow all Scripts to run from google controlling our Webservice.
V2: JSONP (JSON with Padding)
V3: CORS (Cross Origin Ressource Sharing)
it’s complex and we’ll get another session just for this stuff.
Browser send a Origin Head and get’s AccessControlOriginHeader back. The Browser decides if JS is allowed to access this Ressource or not.
with iframe, dangerous
exist since HTML5
ws:// does not integrate with SOP! So, you may can bypass stuff