Same Origin Policy - SOP
Same-origin policy or SOP is a policy that instructs how web browsers interact between web pages. According to this policy, a script on one webpage can access data on another webpage only if their origins are same. Origin is a combination of scheme, hostname, and port number.
In 1995, The concept of the Same-Origin Policy was introduced by Netscape Navigator 2.0 to mitigate cross-site scripting (XSS) attacks and other security issues.
- Table of contents
How origin looks like and how to recognize same origin ?
An origin has 3 components: scheme, host, port number. example of a origin - http://example.com:80
- in above example -
- Scheme is : http
- Host is : example.com
- Port number is : 80
(if all of these 3 would be same then they would be the same origins)
Some SOP questions for you
Q1. Find out the same origins of https://cyberuniversity.tech:443/sop from following :
- http://cyberuniversity.tech:443/sop
- https://cyberuniversity.tech:8080/sop
- https://cyberuniversity.com:443/sop
- https://www.cyberuniversity.tech:443/sop
- https://cyberuniversity.tech:443/page
(The answer is 5th https://cyberuniversity.tech:443/page, other 4 options either don't have same scheme or host or port.)
Q2. Where the sop is applied ? Who takes care of origins ?
- Browser
- Server
(Answer is : Browser. The SOP is enforced by the browser, which checks the origin of requests and ensures that a script from one origin cannot access resources from another origin unless explicitly allowed.)
Q3. What does the sop actually blocks ?
- All requests
- Sensitive request
- All Responses who havn't same origin
- Responses containing sensitive info of another origins(ex:cookies)
(4. The SOP actually blocks the Responses containing sensitive info (ex:cookies,authentication data) from being accessed by scripts on other origins. . However, assets like images, scripts, and stylesheets can be shared across origins if allowed.")
In 2004, the concept of Cross Origin Resource Sharing (CORS) was introduced.