Web Browser - Same-Origin Policy

What is the same-origin policy

User agents (such as browser) apply same-origin restrictions to code execution in order to kept data in a location accessible only to the client and the user-agent.

To be clear, the browser (client) enforces the Same-Origin Policy (not the server). It is the browser's responsibility to honor the restrictions. If you make a programmatic HTTP client program, you will not get any problem with this policy.

Resources Protected


The same-origin policy applies to network ajax requests.

By default, ajax requests that are

Important: A browser may freely performed cross-origin request for every embedded media resources type (such as image, …) in the web page.

These restrictions:

  • prevent a client-side web application (mainly the browser) running from one origin from obtaining data retrieved from another origin
  • limit unsafe HTTP requests that can be automatically launched toward destinations that differ from the running application's origin.

To remove this policy for cross-origin request, see Browser - Cross Origin Resource Sharing (CORS)


Data stored in the browser such as Web Storage (sessionStorage / localStorage) and IndexedDB are also subject to same origin policy and code from an origin may not see the data of another origin.

Cookie (in first place session cookie) are also subject to same origin policy but Cookies use a separate definition of origins, known as the HTTP - Cookie (Set-Cookie Header ) where a page can set a cookie to be visible for its own domain or any parent domain.


with Site Isolation (ie process isolation), it’s much more difficult for a malicious website to use speculative side-channel attacks like Spectre to steal data from other sites.

Powered by ComboStrap