In computing, the same-origin policy ( SOP ) is a concept in the web-app application security model. Under the policy, a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin . An origin is defined as a combination of URI scheme, host name, and port number. This policy prevents a malicious script on one page from obtaining access to sensitive data on another web page through that page's (DOM).
31-646: This mechanism bears a particular significance for modern web applications that extensively depend on HTTPS cookies to maintain authenticated user sessions, as servers act based on the HTTP cookie information to reveal sensitive information or take state-changing actions. A strict separation between content provided by unrelated sites must be maintained on the client-side to prevent the loss of data confidentiality or integrity. The same-origin policy applies only to scripts. This means that resources such as images, CSS, and dynamically loaded scripts can be accessed across origins via
62-544: A fair number of security problems, such as the generally undesirable ability of any locally stored HTML file to access all other files on the disk, or communicate with any site on the Internet. Lastly, certain types of attacks, such as DNS rebinding or server-side proxies, permit the host name check to be partly subverted, and make it possible for rogue web pages to directly interact with sites through addresses other than their "true", canonical origin. The impact of such attacks
93-405: A host computer. Taint checks highlight specific security risks primarily associated with web sites which are attacked using techniques such as SQL injection or buffer overflow attack approaches. The concept behind taint checking is that any variable that can be modified by an outside user (for example a variable set by a field in a web form ) poses a potential security risk. If that variable
124-474: A list of the user's last transactions, create a new transaction, etc. This is because, in the original spirit of a World Wide Web, browsers are required to tag along authentication details such as session cookies and platform-level kinds of the Authorization request header to the banking site based on the domain of the banking site. The bank site owners would expect that regular browsers of users visiting
155-619: A number of features and also added proprietary extensions to the HTML standard. Notably, Netscape 2 was the first browser to support JavaScript and animated GIFs , two technologies still predominant on the web today. The browser introduced many new or improved features: To promote Netscape Navigator, Netscape developed the "Netscape Now" program. The program promoted the display of the "Netscape Now! 2.0" web badge on websites with newly supported features, including frames, live objects, Java applets, and JavaScript. The support for plugins led to
186-416: A potential security risk that could arise without the same-origin policy. Assume that a user is visiting a banking website and doesn't log out. Then, the user goes to another site that has malicious JavaScript code that requests data from the banking site. Because the user is still logged in on the banking site, the malicious code could do anything the user could do on the banking site. For example, it could get
217-400: A single execution trace of that system, the results of taint analysis will necessarily reflect approximate information regarding the information flow characteristics of the system to which it is applied. The following dangerous Perl code opens a large SQL injection vulnerability by not checking the value of the $ name variable: If taint checking is turned on, Perl would refuse to run
248-569: A user it would allow websites to attempt to read JavaScript properties of windows and frames belonging to a different domain. The browser would then ask the user whether to permit the access in question. If two windows (or frames) contain scripts that set domain to the same value, the same-origin policy is relaxed for these two windows, and each window can interact with the other. For example, cooperating scripts in documents loaded from orders.example.com and catalog.example.com might set their document.domain properties to “example.com”, thereby making
279-469: Is limited to very specific scenarios, since the browser still believes that it is interacting with the attacker's site, and therefore does not disclose third-party cookies or other sensitive information to the attacker. Even when same-origin policy is in effect (without being relaxed by Cross-Origin Resource Sharing), certain cross-origin attacks can be performed. WebRTC can be used to find out
310-468: Is to use a prepared statement to sanitize all variable input for a query. One thing to note is that Perl DBI requires one to set the TaintIn attribute of a database handle as well as enabling taint mode to check one's SQL strings. Perl supported tainting in setuid scripts from at least version 3.0 (released in 1989), though it was not until version 5.0 (released in 1994) that the -T switch
341-418: Is used in an expression that sets a second variable, that second variable is now also suspicious. The taint checking tool can then proceed variable by variable forming a list of variables which are potentially influenced by outside input. If any of these variables is used to execute dangerous commands (such as direct commands to a SQL database or the host computer operating system ), the taint checker warns that
SECTION 10
#1732768882515372-432: The fragment identifier or the window.name property were used to pass data between documents residing in different domains. Modern browsers support multiple techniques for relaxing the same-origin policy in a controlled manner: Netscape Navigator briefly contained a taint checking feature. The feature was experimentally introduced in 1997 as part of Netscape 3. The feature was turned off by default, but if enabled by
403-500: The "origin" of a URI is specified in RFC 6454, Section 4. For absolute URIs, the origin is the triple {scheme, host, port}. If the URI does not use a hierarchical element as a naming authority (see RFC 3986 , Section 3.2) or if the URI is not an absolute URI, then a globally unique identifier is used. Two resources are considered to be of the same origin if and only if all these values are exactly
434-401: The assumption that the majority of users choose to use compliant browsers. The policy does not deny writes. Counteracting the abuse of the write permission requires additional CSRF protections by the target sites. In some circumstances, the same-origin policy is too restrictive, posing problems for large websites that use multiple subdomains . At first, a number of workarounds such as using
465-485: The browser from making GET, OPTIONS, and TRACE requests; it only prevents the responses from being read by user code. Therefore, if an endpoint uses a one of these "safe" request methods to write information or perform an action on a user's behalf, it can be exploited by attackers. Note that the Same-Origin Policy does not apply to cookies for historical reasons. If multiple adversarial sites are deployed on
496-485: The browser to infer information cross-origin. These attacks can be counteracted by implementing a Cross-Origin Resource Policy (CORP) header, which allows a website owner to block cross-origin or cross-site resources, like images, videos, and stylesheets. CORP can also block JavaScript-initiated fetch requests, but only if they are sent with the no-cors request mode. The same-origin policy does not prevent
527-517: The command and exit with an error message, because a tainted variable is being used in a SQL query. Without taint checking, a user could enter foo'; DROP TABLE users -- , thereby running a command that deletes the entire database table. Much safer would be to encode the tainted value of $ name to a SQL string literal and use the result in the SQL query, guaranteeing that no dangerous command embedded in $ name will be evaluated. Another way to achieve that
558-482: The connection. To ensure cross-site security, the WebSocket server must compare the header data against an allowlist of origins permitted to receive a reply. The behavior of same-origin checks and related mechanisms is not well-defined in a number of corner cases such as for pseudo-protocols that do not have a clearly defined host name or port associated with their URLs ( file: , data:, etc.). This historically caused
589-573: The corresponding HTML tags (with fonts being a notable exception). Attacks take advantage of the fact that the same origin policy does not apply to HTML tags. The concept of same-origin policy was introduced by Netscape Navigator 2.02 in 1995, shortly after the introduction of JavaScript in Netscape 2.0. JavaScript enabled scripting on web pages, and in particular programmatic access to the Document Object Model (DOM). The policy
620-511: The cross-origin HTTP requests with XMLHttpRequest that would otherwise have been forbidden by the same-origin policy. Another technique, cross-document messaging allows a script from one page to pass textual messages to a script on another page regardless of the script origins. Calling the postMessage() method on a Window object asynchronously fires an "onmessage" event in that window, triggering any user-defined event handlers. A script in one page still cannot directly access methods or variables in
651-525: The development of a number of popular plugins to extend Navigator's functionality. Netscape had several easter eggs. Navigator 2 featured verse 12:10 from The Book of Mozilla . The bottom of "about:authors" read: All human actions are equivalent ... and ... all are on principle doomed ... Taint checking Taint checking is a feature in some computer programming languages , such as Perl , Ruby or Ballerina designed to increase security by preventing malicious users from executing commands on
SECTION 20
#1732768882515682-487: The documents appear to have the same origin and enabling each document to read properties of the other. Setting this property implicitly sets the port to null, which most browsers will interpret differently from port 80 or even an unspecified port. To assure that access will be allowed by the browser, set the document.domain property of both pages. The document.domain concept was introduced as part of Netscape Navigator 3, released in 1996. The other technique for relaxing
713-474: The internal IP address of a victim. If attempting to connect to a cross-origin port, responses cannot be read in face of same-origin policy, but a JavaScript can still make inferences on whether the port is open or closed by checking if the onload/onerror event fires, or if we get a timeout. This gives opportunities for cross-origin portscanning . Further, JavaScript snippets can use techniques like cross-site leaks to exploit long-standing information leakages in
744-518: The malicious site do not allow the code loaded from the malicious site access the banking session cookie or platform-level authorization. While it is true that JavaScript has no direct access to the banking session cookie, it could still send and receive requests to the banking site with the banking site's session cookie. Same Origin Policy was introduced as a requirement for security-minded browsers to deny read access to responses from across origins, with
775-428: The other page, but they can communicate safely through this message-passing technique. Since HTML <script> elements are allowed to retrieve and execute content from other domains, a page can bypass the same-origin policy and receive JSON data from a different domain by loading a resource that returns a JSONP payload. JSONP payloads consist of an internal JSON payload wrapped by a pre-defined function call. When
806-404: The program is using a potentially dangerous tainted variable. The computer programmer can then redesign the program to erect a safe wall around the dangerous input. Taint checking may be viewed as a conservative approximation of the full verification of non-interference or the more general concept of secure information flow . Because information flow in a system cannot be verified by examining
837-707: The same hostname with different port numbers, contrary to the SOP, all cookies set by any of the sites are shared. This can be used to leak users' session tokens and steal account information. Therefore, web services should be separated by differentiating subdomains rather than port numbers. Netscape Navigator 2 Netscape Navigator 2 is a discontinued proprietary web browser released by Netscape Communications Corporation as its flagship product . Versions were available for Microsoft Windows , Apple Macintosh , Linux , IRIX , HP-UX , AIX , Solaris , SunOS , JavaOS , and FreeBSD . The browser introduced and improved
868-517: The same-origin policy is standardized under the name Cross-Origin Resource Sharing (CORS). This standard extends HTTP with a new Origin request header and a new Access-Control-Allow-Origin response header. It allows servers to use a header to explicitly list origins that may request a file or to use a wildcard and allow a file to be requested by any site. Browsers such as Firefox 3.5, Safari 4 and Internet Explorer 10 use this header to allow
899-530: The same. To illustrate, the following table gives an overview of typical outcomes for checks against the URL " http://www.example.com/dir/page.html ". Unlike other browsers, Internet Explorer does not include the port in the calculation of the origin, using the Security Zone in its place. The same-origin policy protects against reusing authenticated sessions across origins. The following example illustrates
930-399: The script resource is loaded by the browser, the designated callback function will be invoked to process the wrapped JSON payload. Modern browsers will permit a script to connect to a WebSocket address without applying the same-origin policy. However, they recognize when a WebSocket URI is used, and insert an Origin: header into the request that indicates the origin of the script requesting
961-647: Was originally designed to protect access to the DOM, but has since been broadened to protect sensitive parts of the global JavaScript object. All modern browsers implement some form of the same-origin policy as it is an important security cornerstone. The policies are not required to match an exact specification but are often extended to define roughly compatible security boundaries for other web technologies, such as Microsoft Silverlight , Adobe Flash , or Adobe Acrobat , or for mechanisms other than direct DOM manipulation, such as XMLHttpRequest . The algorithm used to calculate