Same Origin/Domain Policy
The same origin policy (also known as same domain policy) is the main security control
in web browsers. An origin is defined as the combination of host name, protocol, and port
number; you can think of an origin as the entity that created some web page or information
being accessed by a browser. The same origin policy simply requires that dynamic
content (for example, JavaScript or VBScript) can read only HTTP responses and cookies
that came from the same origin it came from. Dynamic content may not read content
from a different origin than from where it came. Interestingly, the same origin policy
does not have any write access control. As such, web sites can send (or write) HTTP
requests to any other web site, although restrictions may be placed on the cookies and
headers associated with sending such requests to prevent cross site requests.
The same origin policy may best be explained through examples. Suppose I have a
web page at http://foo.com/bar/baz.html with JavaScript in it. That JavaScript can
read/write some pages and not others. Table 2-1 outlines what URLs the JavaScript from
http://foo.com/bar/baz.html can access.
Chapter 2: Cross-Site Scripting 23
Exceptions to the Same Origin Policy
Browsers can be instructed to allow limited exceptions to the same origin policy
by setting JavaScript??™s document.
Pages:
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87