Main Content

Ep-3: Same-Origin Policy

Table Of Contents

Key Questions

What Is The Origin?

"Remember Me" Login Functionality

  1. You authenticate to bank.com
  2. bank.com sends an authentication cookie to your browser
    • Set-Cookie: auth=RANDOM_CHARS; Domain=bank.com
  3. You close your browser
  4. When you revisit bank.com, you don't have to reenter your credentials
    • Any request to bank.com will contain the authentication cookie

Why We Need SOP

  1. Visit evil.com
  2. What prevents evil.com's javascript from interacting with bank.com?
    • Same-Origin Policy helps scope evil.com's requests to evil.com
      • One layer of defense

SOP Definition

SOP Definition (CONT)

Table 1: Comparison
URL SOP Violation?
http://store.company.com/dir2/other.html No
http://store.company.com/dir/inner/another.html No
https://store.company.com/secure.html Yes (Different scheme)
http://store.company.com:81/dir/etc.html Yes (Different port)
http://news.company.com/dir/other.html Yes (Different host)

SOP Edge Cases

SOP Rules

SOP Rules: Cross-Origin Embedding Examples

SOP Rules: Cross-Origin Embedding Examples (CONT.)

How To Prevent Cross-Origin Writes?

Synchronizer Token Pattern

How To Allow Cross-Origin Access?

Discussion

0 comments