Same-Origin Policy

Same-Origin Policy defines the rules for the browser to control access to the data between two web pages. According to this policy, only resources of the same origin can access the data on the second web page.

The Same-Origin Policy helps browsers to prevent malicious scripts on the first page to access sensitive data on the second web page.

What is the Origin?


The origin consists of three elements: the schema (protocol), the hostname (domain), and the port: schema:hostname:port
If even one of the three elements is different, the browser considers that the resources have a different origin.

Note: Internet Explorer has exceptions to the same-origin policy; same-origin limitations are not applied to trust zones, and same-origin checks do not include the port.

Examples of checking the Same-Origin Policy


Origin: http://www.example.com/dir/page.html

URL Outcome Reason
http://example.com/dir2/other.html Accessible Only the path differs
http://example.com/dir/inner/another.html Accessible Only the path differs
https://example.com/page.html Failure Different protocol
http://example.com:81/dir/page.html Failure Different port (http:// is port 80 by default)
Networking restrictions
In general, it is permitted to send documents to another origin, while retrieving information from another origin is not allowed. There are restrictions on using inter-origin HTTP request methods for sending network messages and on using custom headers for sending requests to other origins.

Loosening SOP
For sites within the same domain hierarchy, a page may change its own origin if script sets the value of document.domain to its current domain or a superdomain of its current domain.

Another way of loosening Same-Origin Policy is using CORS to inform the browsers that access to resources is permitted for other origins.
cors same-origin