Web Browser - Same-Origin Policy


What is the same-origin policy

User agents (such as browser) apply same-origin restrictions to code execution in order to kept data in a location accessible only to the client and the user-agent.

To be clear, the browser (client) enforces the Same-Origin Policy (not the server). It is the browser's responsibility to honor the restrictions. If you make a programmatic HTTP client program, you will not get any problem with this policy.

Resources Protected


The same-origin policy applies to network ajax requests.

By default, ajax requests that are

Important: A browser may freely performed cross-origin request for every embedded media resources type (such as image, …) in the web page.

These restrictions:

  • prevent a client-side web application (mainly the browser) running from one origin from obtaining data retrieved from another origin
  • limit unsafe HTTP requests that can be automatically launched toward destinations that differ from the running application's origin.

To remove this policy for cross-origin request, see Browser - Cross Origin Resource Sharing (CORS)


Data stored in the browser such as Web Storage (sessionStorage / localStorage) and IndexedDB are also subject to same origin policy and code from an origin may not see the data of another origin.

Cookie (in first place session cookie) are also subject to same origin policy but Cookies use a separate definition of origins, known as the What is a Cookie? (HTTP Set-Cookie Header ) where a page can set a cookie to be visible for its own domain or any parent domain.


with Site Isolation (ie process isolation), it’s much more difficult for a malicious website to use speculative side-channel attacks like Spectre to steal data from other sites.

Discover More
Chrome Devtool Xhr Fetch Request
Browser - Web API - Fetch function

The fetch function is part of the web api function and is a AJAX call. It's one of the possibilities to fetch a resource. XMLHttpRequest (XHR) The fetch function returns a promise as response. The Fetch...
Browser Local Storage Devtool
Browser - Web API - Local Storage

localStorage is a browser/client side data storage mechanism. It's one of the two web storage (key/pair) api and is part of the web api The localStorage property allows you to access a local StorageStorage...
HTTP - Same Origin Request

A request is a same-origin request if: the request’s origin and the origin of request’s current url page are the same. requestsame-origincross origin Two HTTP requests havenot the same origin...
Cors Blocked
How to resolve a blockage due to a CORS policy error? A getting started guide

A detailled step by step guide on why you can get a CORS policy violation and how to simply resolve it
Browser Scripts Classed By Origin
Web Resource - Origin

The origin is a property of a resource that is used as the scope of privilege for scripts used by user agents (browser) The origin is calculated and set by the browser (ie client) on each resource from...

Share this page:
Follow us:
Task Runner