What is Same Origin Policy (SOP)?
Same origin policy is a browser security feature that restricts a document or script loaded by one origin, to access or interact with documents or scripts from another origin. An origin consists of protocol, host and port.
For example, consider the following URL:
In the above example “https://” is the protocol, “geeksforgeeks.com” is the host and port is “80”.
Note : By default websites use port 80.
Same Origin Policy is necessary because when the browser makes a HTTP request from a origin to another origin all the associated data i.e cookies, authentication tokens, sessions or any relevant data is sent as part of the request. If the other origin is malicious, it will be able to access all information of the victim user.
If there was no Same Origin Policy in place and you visit a malicious website it would be able to read all messages from your social networking account.
Two origins are said to be same, when they have same protocol, host and port.
Let us compare the origin “https://geeksforgeeks.com” with the origins in the table below.
URL Same Origin? https://geeksforgeeks.com/example1 Yes, same protocol, host and port. Only the URL path differs. https://geeksforgeeks.com/example/example.html Yes, same protocol, host and port. Only the URL path differs. http://geeksforgeeks.com/example No, protocol is different. https://practice.geeksforgeeks.com/example No, host is different. http://www.geeksforgeeks.com/example No, host and protocol is different https://geeksforgeeks.com:81/example No, port is different
Note: Internet Explorer will allow “https://geeksforgeeks:81/example” because IE doesn’t consider port number when applying same origin policy.
When Same Origin Policy enforces restrictions ?
The Same Origin Policy is applied by the browser, when two different origins are involved.
- Contents from an iframe is not accessible by the page unless they are from the same origin.
- XMLHttpRequests are not allowed.
- Session Cookies from a particular site cannot be sent to a page with different origin.
Note: In case of cookies protocol and port are not checked. Only host is checked.
Same Origin Policy doesn’t completely restricts interaction between two origins. The browsers check whether the interactions between the two origins poses a threat or not, if not, it allows the interactions.
Is Same Origin Policy enough ?
Same Origin Policy enforces some security but it is not enough to prevent all kinds of attacks. Some of them are:
- Cross Site Request Forgery(CSRF) attack which basically takes advantage of different origins. This is why anti-CSRF tokens should be used in addition to Same Origin Policy.
- Cross Site Scripting(XSS) attacks can also be prevented by Same Origin Policy but in order to prevent it will have to restricts loading of scripts from external sources, which may break the functionality of web applications.