【Same-Origin Policy】Definition, Examples, and Prevention
May 2, 2022
8 min read
In this article:
In order to provide greater security, modern web applications and browsers are equipped with various mechanisms and features. One of these is the so-called Same-Origin Policy (SOP), a rule enforced by browsers to protect data exposure from one website to another.
Learn more about the same-origin policy below!
How is origin defined?
In the context of the Internet, an origin is the combination of a Uniform Resource Identifier (URI) scheme, a hostname (or domain), and a port number.
So, let’s take the main page of our blog: https://crashtest-security.com/security-penetration-testing-blog/.
Here, the scheme is HTTPS, the host is crashtest-security.com, and the port number is 443 (the default port number for HTTPS).
Modern browsers would consider any page with the same schemе, host, and port as having the same origin. If conversely, one of these differs, then the origin would not be considered the same.
Using the following website (http://company-website.com/), here are a few examples of origins that would and would not be considered the same.
URLSame-origin?http://company-website.com/dir/news.htmlYes, scheme, domain, and port matchhttp://company-website.com/dir/page2.htmlYes, scheme, domain, and port matchhttps://company-website.com/page.htmlNo, scheme and port are differenthttp://www.company-website.com/dir/page1.htmlNo, different host (exact match is required)https://news.company-website.com/No, scheme, host, and port are different
Whether the origin is the same or not, affects how browsers treat requests between origins.
What is the purpose