Web Browser - Same-Origin Policy

1 - What is the same-origin policy

User agents (such as browser) apply same-origin restrictions to code execution in order to kept data in a location accessible only to the client and the user-agent.

To be clear, the browser (client) enforces the Same-Origin Policy (not the server). It is the browser's responsibility to honor the restrictions. If you make a programmatic HTTP client program, you will not get any problem with this policy.

3 - Resources Protected

3.1 - Request

The same-origin policy applies to network ajax requests.

By default, ajax requests that are

Important: A browser may freely performed cross-origin request for every embedded media resources type (such as image, …) in the web page.

These restrictions:

  • prevent a client-side web application (mainly the browser) running from one origin from obtaining data retrieved from another origin
  • limit unsafe HTTP requests that can be automatically launched toward destinations that differ from the running application's origin.

To remove this policy for cross-origin request, see Browser - Cross Origin Resource Sharing (CORS)

3.2 - Data

Data stored in the browser such as Web Storage (sessionStorage / localStorage) and IndexedDB are also subject to same origin policy and code from an origin may not see the data of another origin.

Cookie (in first place session cookie) are also subject to same origin policy but Cookies use a separate definition of origins, known as the HTTP - Cookie (Set-Cookie Header ) where a page can set a cookie to be visible for its own domain or any parent domain.

4 - Note

with Site Isolation (ie process isolation), it’s much more difficult for a malicious website to use speculative side-channel attacks like Spectre to steal data from other sites.


Data Science
Data Analysis
Statistics
Data Science
Linear Algebra Mathematics
Trigonometry

Powered by ComboStrap