The Same-Origin Policy helps browsers to prevent malicious scripts on the first page to access sensitive data on the second web page.
What is the Origin?
The origin consists of three elements: the schema (protocol), the hostname (domain), and the port: schema:hostname:port
If even one of the three elements is different, the browser considers that the resources have a different origin.
Note: Internet Explorer has exceptions to the same-origin policy; same-origin limitations are not applied to trust zones, and same-origin checks do not include the port.
Examples of checking the Same-Origin Policy
|http://example.com/dir2/other.html||Accessible||Only the path differs|
|http://example.com/dir/inner/another.html||Accessible||Only the path differs|
|http://example.com:81/dir/page.html||Failure||Different port (http:// is port 80 by default)|
Networking restrictionsIn general, it is permitted to send documents to another origin, while retrieving information from another origin is not allowed. There are restrictions on using inter-origin HTTP request methods for sending network messages and on using custom headers for sending requests to other origins.
Loosening SOPFor sites within the same domain hierarchy, a page may change its own origin if script sets the value of document.domain to its current domain or a superdomain of its current domain.
Another way of loosening Same-Origin Policy is using CORS to inform the browsers that access to resources is permitted for other origins.