Same-Origin Policy(SOP) & Cross-Origin Resource Sharing(CORS)
Jan 10, 2023 / By Securium Solutions
Same-Origin Policy (SOP): –
The same-origin policy is a web security mechanism that restricts how websites can access one another. SOP’s is often confused with content security policies, which prevent calls to external resources, while it prevent calls from external resources.
A same-origin policy prevents one origin from accessing data from another origin. It is a combination of three elements domain, port, and protocol. Therefore, all the sites having same domain: port: protocol is said to have same origin. The following table gives an example of origin with the URL: http://blog.example.com
URL Results Reason
http://blog.example.com/file1/test.html Same origin Only path differs
https://blog.example.com/robots.txt Error Not same protocol used
http://blog.example.com/file2/test2.html Same origin Only path differs
http://blog.example.com:443/dir Error Port Differs
http://news.example.com/index.html Error Domain Differs
http://www.blog.example.com/file1/test.html Error Domain Differs
Why is the Same-Origin Policy needed?
SOP Meaning or implemented?
The same-origin policy is implemented when two different origins are interacting. For example,
Content such as Javascript code or Document Module based Object (DOM) from an iframe, which cannot be accessed unless it’s from the same origin.XMLHTTPRequest (Ajax calls) are not allowed.Cookies such as session cookies cannot be sent to different domains. Incase of cookie port and protocol is not checked only domain/subdomain is.
However, same-origin does not eliminate the use of different origins. The browser checks whether there is any threat if not then it allows.
You can embed cross-origin, which is usually allowed, but read access is blocked. You can also embed image <img>, script <script> or video <video> tags from different sites.
SOP protects us from:-
Cross Site Request Forgery (CSRF) was the attack against which SOP was designed to protect since it takes advantage of the different origin. But it is recommended to use an anti-CSRF token with the SOP.
SOP is useless against cross-site scripting (XSS) since to prevent it, javascript from external sites has to be restricted, which will hamper the web application.
Cross-Origin Resource Sharing (CORS): –
Cross-Origin Resource Sharing is a web-based mechanism which allows resources from different to origin to access/load. Earlier, it was not possible to access or load a web site of different origin that had script, XMLHttpRequest and the API Fetch because of SOP, but now CORS allows it even if the request is from/ for a different origin. It is more flexible than the SOP. CORS does not protect against cross-origin attacks such as Cross-Site Request Forgery (CSRF).
Why is Cross-Origin Resource Sharing needed?
It was implemented due to the restrictions imposed by the Same-Origin Policy. In many cases these days, web icons and styles are requested from different origins, so for that to be accessible, we use CORS instead of SOP.
How is Cors implemented?
CORS allows the server to explicitly whitelist some origins and helps to bypass the SOP.
If your server is configured for CORS, then it will return an extra header, “Access-Control-Allow-Origin” on each response.