Open In App

What is Same Origin Policy (SOP)?

Last Updated : 05 Oct, 2021
Improve
Improve
Like Article
Like
Save
Share
Report

Same origin policy is a browser security feature that restricts a document or script loaded by one origin, to access or interact with documents or scripts from another origin. An origin consists of protocol, host and port. 

For example, consider the following URL:

https://geeksforgeeks.com

In the above example “https://” is the protocol, “geeksforgeeks.com” is the host and port is “80”. 

Note : By default websites use port 80.

Same Origin Policy is necessary because when the browser makes a HTTP request from a origin to another origin all the associated data i.e cookies, authentication tokens, sessions or any relevant data is sent as part of the request. If the other origin is malicious, it will be able to access all information of the victim user.

Example: 

If there was no Same Origin Policy in place and you visit a malicious website it would be able to read all messages from your social networking account.

Two origins are said to be same, when they have same protocol, host and port.

Let us compare the origin “https://geeksforgeeks.com” with the origins in the table below.

URL Same Origin?
https://geeksforgeeks.com/example1 Yes, same protocol, host and port. Only the URL path differs.
https://geeksforgeeks.com/example/example.html  Yes, same protocol, host and port. Only the URL path differs.
http://geeksforgeeks.com/example No,  protocol is different.
https://practice.geeksforgeeks.com/example No, host is different.
http://www.geeksforgeeks.com/example No, host and protocol is different
https://geeksforgeeks.com:81/example No, port is different

Note: Internet Explorer will allow “https://geeksforgeeks:81/example” because IE doesn’t consider port number when applying same origin policy.

When Same Origin Policy enforces restrictions ?

The Same Origin Policy is applied by the browser, when two different origins are involved.

  • Contents from an iframe is not accessible by the page unless they are from the same origin.
  • XMLHttpRequests are not allowed.
  • Session Cookies from a particular site cannot be sent to a page with different origin.

Note: In case of cookies protocol and port are not checked. Only host is checked.

Same Origin Policy  doesn’t completely restricts interaction between two origins. The browsers check whether the interactions between the two origins poses a threat or not, if not, it allows the interactions.

Cross origin loading of page resource is generally allowed. You can embed an image with <image> tag, script with <script> tag or a video with <video> from a different site but any javascript code will not be able to read the content of these cross origin embedded elements.

Is Same Origin Policy enough ?

Same Origin Policy enforces some security but it is not enough to prevent all kinds of attacks. Some of them are:

  • Cross Site Request Forgery(CSRF) attack which basically takes advantage of different origins. This is why anti-CSRF tokens should be used in addition to Same Origin Policy.
  • Cross Site Scripting(XSS) attacks can also be prevented by Same Origin Policy but in order to prevent it will have to restricts loading of scripts from external sources, which may break the functionality of web applications.

Like Article
Suggest improvement
Previous
How to Mitigate a DDoS Attack?
Next
What is a network switch, and how does it work?
Share your thoughts in the comments

Similar Reads

Introduction to Senders Policy Framework (SPF)
Cyber Security Policy
Packet flow in the same Network
Same Site Scripting
Can Two IP Addresses Be Same?
What Happens When Two Hosts Have the Same IP Address?
USER POLICY
Privacy Policy

B
baddrink887
Article Tags :
We use cookies to ensure you have the best browsing experience on our website. By using our site, you acknowledge that you have read and understood our Cookie Policy & Privacy Policy
Lightbox