4. Same Origin Policy :
“The same-origin policy restricts how a
document or script loaded from one origin can
interact with a resource from another origin.”
- MDN (https://developer.mozilla.org)
7. FYI - IE Exceptions
● Trust Zones:If both domains are in highly trusted zone, then
the same origin limitations are not applied.
● Port : IE doesn't include port into Same Origin component
so http://example.com:80/abc & http://example.com:8080/xyz
are considered from the same origin.
[ Non-standard and not supported in any of other browsers]
8. Same Origin Policy
Changing Origin:
● A page may change its own origin to a suffix of
its current domain.
● But it cannot set its document.domain to
another domain.
10. Same Origin Policy
Cross-Origin Network Access:
✔ Cross-Origin writes are allowed.
(Examples are links, redirects and form sumissions)
✔ Cross-Origin embedding is allowed.
✗ Cross-Origin reads are not allowed.
11. Same Origin Policy
Cross-Origin Embedding:
● JavaScript with <script src="..."></script>.
● CSS with <link rel="stylesheet" href="...">
● Images with <img>.
● Media files with <video> and <audio>.
● Plug-ins with <object>, <embed> and <applet>.
● Anything with <frame> and <iframe>
* Mitigation : X-Frame-Options header.
Reference : https://developer.mozilla.org/en-
US/docs/Web/JavaScript/Same_origin_policy_for_JavaScript
12. How to block cross-origin access :
➢ To prevent cross-origin writes, use a random
token.
➢To prevent cross-origin reads of a resource,
ensure that it is not embeddable.
Reference : https://developer.mozilla.org/en-
US/docs/Web/JavaScript/Same_origin_policy_for_JavaScript
13. How to allow cross-Origin access.
CORS
(To be continued...)