What is the same-origin policy
User agents (such as browser) apply same-origin restrictions to code execution in order to kept data in a location accessible only to the client and the user-agent.
To be clear, the browser (client) enforces the Same-Origin Policy (not the server). It is the browser's responsibility to honor the restrictions. If you make a programmatic HTTP client program, you will not get any problem with this policy.
Articles Related
Resources Protected
Request
The same-origin policy applies to network ajax requests.
By default, ajax requests that are
- same origin, are allowed
- cross origin request, are forbidden
Important: A browser may freely performed cross-origin request for every embedded media resources type (such as image, …) in the web page.
These restrictions:
- prevent a client-side web application (mainly the browser) running from one origin from obtaining data retrieved from another origin
- limit unsafe HTTP requests that can be automatically launched toward destinations that differ from the running application's origin.
To remove this policy for cross-origin request, see Browser - Cross Origin Resource Sharing (CORS)
Data
Data stored in the browser such as Web Storage (sessionStorage / localStorage) and IndexedDB are also subject to same origin policy and code from an origin may not see the data of another origin.
Cookie
Cookie (in first place session cookie) are also subject to same origin policy but Cookies use a separate definition of origins, known as the What is a Cookie? (HTTP Set-Cookie Header ) where a page can set a cookie to be visible for its own domain or any parent domain.
Note
with Site Isolation (ie process isolation), it’s much more difficult for a malicious website to use speculative side-channel attacks like Spectre to steal data from other sites.