same-origin policy

Overview

The same-origin policy (SOP) is a core security mechanism implemented by web browsers that restricts how documents or scripts loaded from one origin can interact with resources from another origin. An origin is defined by the combination of protocol, domain, and port. For example, https://example.com:443 and http://example.com:80 are considered different origins due to differing protocols and ports.

Developers encounter the same-origin policy when working with cross-origin requests, shared worker access, or when attempting to read data from iframes or XMLHttpRequests originating from different domains. SOP prevents malicious actors from accessing sensitive data across domains, such as cookies or local storage, which could otherwise be exploited in cross-site scripting (XSS) or data theft attacks.

same-origin policy developer glossary illustration

Why It Matters

Without the same-origin policy, web applications would be vulnerable to a range of attacks including unauthorized access to user data, session hijacking, and data exfiltration. SOP ensures that only scripts and resources from the same origin can access each other's data, thereby enforcing a security boundary between domains.

For developers, SOP is crucial when building APIs, implementing authentication, or handling user data. Misunderstanding SOP can lead to unintentional data exposure, broken functionality, or security vulnerabilities. It also affects how developers structure applications, especially when using third-party libraries or integrating with external services.

How It Works

The same-origin policy enforces restrictions based on the origin of the requesting resource and the target resource. It operates at the browser level and applies to a variety of APIs and interactions, including but not limited to XMLHttpRequest, fetch, WebSocket, and DOM access.

Each resource is identified by its origin, which consists of the protocol, hostname, and port.
When a script attempts to access a resource from a different origin, the browser blocks the action unless explicitly permitted by CORS headers or similar mechanisms.
DOM access is restricted between documents from different origins, such as accessing properties of iframes or accessing localStorage from a different domain.
Network requests, such as those made with fetch or XMLHttpRequest, are subject to SOP unless the server explicitly allows cross-origin access using CORS headers.
Some APIs, like SharedWorker or ServiceWorker, are subject to SOP but may have more relaxed rules for same-origin communication.

Quick Reference

Item	Purpose	Notes
Origin	Defines a unique web resource	Combination of protocol, domain, and port
XMLHttpRequest	Makes HTTP requests	Blocked by SOP unless CORS headers are present
fetch API	Modern HTTP request interface	Also subject to SOP unless CORS is enabled
iframe access	Accessing DOM from different origins	Blocked unless same-origin or using postMessage
localStorage	Client-side data storage	Isolated by origin; cannot be accessed across origins

Basic Example

The following example demonstrates a simple cross-origin fetch attempt, which will fail due to the same-origin policy unless CORS is configured on the server.

fetch('https://api.example.com/data')
  .then(response => response.json())
  .then(data => console.log(data))
  .catch(error => console.error('Fetch failed:', error));

The code attempts to fetch data from an external domain. If the server does not respond with appropriate CORS headers, the browser will block the request and log an error to the console. This illustrates how SOP protects against unauthorized data access.

Production Example

In a production environment, developers must correctly handle cross-origin requests and implement appropriate CORS policies to allow necessary communication. The following example shows a secure setup for handling cross-origin communication using a proxy or CORS headers.

const proxyUrl = 'https://cors-proxy.example.com';
fetch(proxyUrl + '/api/data')
  .then(response => response.json())
  .then(data => {
    console.log('Data received:', data);
  })
  .catch(error => {
    console.error('Request failed:', error);
  });

This version uses a proxy server to bypass SOP restrictions. It is more suitable for production because it ensures that the application's security is not compromised by direct cross-origin requests, and it allows controlled access to external APIs.

Common Mistakes

Assuming that all cross-origin requests are allowed without CORS headers, leading to runtime errors and broken functionality.
Using eval or similar methods to bypass SOP, which introduces security vulnerabilities.
Attempting to access localStorage or other origin-specific resources from a different origin, which will fail silently or throw an exception.
Not configuring CORS headers correctly on the server, causing legitimate cross-origin requests to be blocked.
Ignoring the fact that iframes from different origins cannot access each other’s DOM, leading to incorrect assumptions in UI development.

Security And Production Notes

Always validate and sanitize cross-origin requests to prevent data leakage or unauthorized access.
Use CORS headers correctly to allow only necessary origins, methods, and headers to reduce attack surface.
Implement a reverse proxy or use a trusted third-party service to handle cross-origin requests when direct access is not feasible.
Do not rely on SOP alone for protecting sensitive data; always implement additional security measures like authentication and encryption.
Test cross-origin scenarios in development to catch SOP-related issues before deployment.

Related Concepts

Several web security and development concepts are closely related to the same-origin policy. These include CORS (Cross-Origin Resource Sharing), which provides a controlled way to allow cross-origin access; postMessage, which enables secure communication between different origins; and Content Security Policy (CSP), which adds an additional layer of protection by controlling resource loading.

Additionally, SOP interacts with features like Web Workers, which are subject to SOP but can be used for sharing data between same-origin contexts. The concept of subdomains also plays a role, as app.example.com and api.example.com are considered different origins, which can impact how developers structure their applications.