Search

Same-Origin Policy(SOP) & Cross-Origin Resource Sharing(CORS)

Same-Origin Policy(SOP) & Cross-Origin Resource Sharing(CORS)

Jan 10, 2023 / By Securium Solutions

Same-Origin Policy (SOP): –

The same-origin policy is a web security mechanism that restricts how websites can access one another. SOP’s is often confused with content security policies, which prevent calls to external resources, while it prevent calls from external resources.

A same-origin policy prevents one origin from accessing data from another origin. It is a combination of three elements domain, port, and protocol. Therefore, all the sites having same domain: port: protocol is said to have same origin. The following table gives an example of origin with the URL: http://blog.example.com

URL                                                                                           Results                       Reason

http://blog.example.com/file1/test.html                           Same origin              Only path differs

https://blog.example.com/robots.txt                                 Error                           Not same protocol used 

http://blog.example.com/file2/test2.html                        Same origin               Only path differs

http://blog.example.com:443/dir                                        Error                           Port Differs

http://news.example.com/index.html                                 Error                          Domain Differs

http://www.blog.example.com/file1/test.html                  Error                          Domain Differs

Why is the Same-Origin Policy needed?

When a HTTP request is sent from one origin to another, all the authentication data is also sent, i.e., cookies, session tokens, authentication tokens, etc., which means that the response will be generated within the user session and will include relevant data about the user. So, if the other side is malicious, then it will be able to access all the private data of the user if SOP is not implemented.
 

SOP Meaning or implemented?

The same-origin policy is implemented when two different origins are interacting. For example,

Content such as Javascript code or Document Module based Object (DOM) from an iframe, which cannot be accessed unless it’s from the same origin.XMLHTTPRequest (Ajax calls) are not allowed.Cookies such as session cookies cannot be sent to different domains. Incase of cookie port and protocol is not checked only domain/subdomain is.

However, same-origin does not eliminate the use of different origins. The browser checks whether there is any threat if not then it allows.

You can embed cross-origin, which is usually allowed, but read access is blocked. You can also embed image <img>, script <script> or video <video> tags from different sites.

SOP protects us from:-

Cross Site Request Forgery (CSRF) was the attack against which SOP was designed to protect since it takes advantage of the different origin. But it is recommended to use an anti-CSRF token with the SOP.

SOP is useless against cross-site scripting (XSS) since to prevent it, javascript from external sites has to be restricted, which will hamper the web application.

Cross-Origin Resource Sharing (CORS): –

Cross-Origin Resource Sharing is a web-based mechanism which allows resources from different to origin to access/load. Earlier, it was not possible to access or load a web site of different origin that had script, XMLHttpRequest and the API Fetch because of SOP, but now CORS allows it even if the request is from/ for a different origin. It is more flexible than the SOP. CORS does not protect against cross-origin attacks such as Cross-Site Request Forgery (CSRF).

Why is Cross-Origin Resource Sharing needed?

It was implemented due to the restrictions imposed by the Same-Origin Policy. In many cases these days, web icons and styles are requested from different origins, so for that to be accessible, we use CORS instead of SOP.

How is Cors implemented?

CORS allows the server to explicitly whitelist some origins and helps to bypass the SOP.

If your server is configured for CORS, then it will return an extra header, “Access-Control-Allow-Origin” on each response. 

Author
Aryan Majumder
Securium Solution Cyber Security Intern

Table of Contents

Social Media
Facebook
Twitter
WhatsApp
LinkedIn