Main Content

Ep-3: Same-Origin Policy

Table Of Contents

Key Questions

What Is The Origin?

"Remember Me" Login Functionality

  1. You authenticate to
  2. sends an authentication cookie to your browser
    • Set-Cookie: auth=RANDOM_CHARS;
  3. You close your browser
  4. When you revisit, you don't have to reenter your credentials
    • Any request to will contain the authentication cookie

Why We Need SOP

  1. Visit
  2. What prevents's javascript from interacting with
    • Same-Origin Policy helps scope's requests to
      • One layer of defense

SOP Definition

SOP Definition (CONT)

Table 1: Comparison
URL SOP Violation? No No Yes (Different scheme) Yes (Different port) Yes (Different host)

SOP Edge Cases

SOP Rules

SOP Rules: Cross-Origin Embedding Examples

SOP Rules: Cross-Origin Embedding Examples (CONT.)

How To Prevent Cross-Origin Writes?

Synchronizer Token Pattern

How To Allow Cross-Origin Access?