Same-Origin Policy (SOP)

Same-Origin Policy (SOP) is a critical browser security mechanism that restricts how documents or scripts from one origin can interact with resources from another origin. An origin is defined by the combination of protocol, host, and port.

Origin Definition

URL: https://example.com:443/page.html

Origin components:
- Protocol: https
- Host: example.com
- Port: 443

Same origin examples (relative to above):
✓ https://example.com/other.html
✓ https://example.com:443/api/data

Different origin examples:
✗ http://example.com (different protocol)
✗ https://api.example.com (different host)
✗ https://example.com:8443 (different port)

What SOP Restricts

• DOM access: Scripts cannot access DOM of cross-origin pages
• Cookie access: JavaScript cannot read cross-origin cookies
• AJAX requests: Cross-origin requests restricted without CORS
• localStorage/sessionStorage: Per-origin isolation

What SOP Allows

• Embedding cross-origin images, scripts, stylesheets
• Form submissions to cross-origin URLs
• Embedding cross-origin iframes (content isolated)

SOP Relaxation Mechanisms

• CORS - Server-controlled cross-origin access
• document.domain - Relax SOP for subdomains
• postMessage - Controlled cross-origin communication
• JSONP - Legacy cross-origin data loading

See Also

• Cross-Origin Resource Sharing (CORS)
• Content Security Policy
• postMessage Vulnerability