Same-origin policy


In computing, the same-origin policy is an important concept in the web application security model. Under the policy, a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin. An origin is defined as a combination of URI scheme, host name, and port number. This policy prevents a malicious script on one page from obtaining access to sensitive data on another web page through that page's Document Object Model.
This mechanism bears a particular significance for modern web applications that extensively depend on HTTP cookies to maintain authenticated user sessions, as servers act based on the HTTP cookie information to reveal sensitive information or take state-changing actions. A strict separation between content provided by unrelated sites must be maintained on the client-side to prevent the loss of data confidentiality or integrity.
It is very important to remember that the same-origin policy applies only to scripts. This means that resources such as images, CSS, and dynamically-loaded scripts can be accessed across origins via the corresponding HTML tags. Attacks take advantage of the fact that the same origin policy does not apply to HTML tags.

History

The concept of same-origin policy was introduced by Netscape Navigator 2.02 in 1995, shortly after the introduction of JavaScript in Netscape 2.0. JavaScript enabled scripting on web pages, and in particular programmatic access to the Document Object Model.
The policy was originally designed to protect access to the DOM, but has since been broadened to protect sensitive parts of the global JavaScript object.

Implementation

All modern browsers implement some form of the same-origin policy as it is an important security cornerstone. The policies are not required to match an exact specification but are often extended to define roughly compatible security boundaries for other web technologies, such as Microsoft Silverlight, Adobe Flash, or Adobe Acrobat, or for mechanisms other than direct DOM manipulation, such as XMLHttpRequest.

Origin determination rules

The algorithm used to calculate the "origin" of a URI is specified in RFC 6454, Section 4. For absolute URIs, the origin is the triple. If the URI does not use a hierarchical element as a naming authority or if the URI is not an absolute URI, then a globally unique identifier is used. Two resources are considered to be of the same origin if and only if all these values are exactly the same.
To illustrate, the following table gives an overview of typical outcomes for checks against the URL "http://www.example.com/dir/page.html".
Compared URLOutcomeReason
http://www.example.com/dir/page2.htmlSame scheme, host and port
http://www.example.com/dir2/other.htmlSame scheme, host and port
http://username:password@www.example.com/dir2/other.htmlSame scheme, host and port
http://www.example.com:81/dir/other.htmlSame scheme and host but different port
https://www.example.com/dir/other.htmlDifferent scheme
http://en.example.com/dir/other.htmlDifferent host
http://example.com/dir/other.htmlDifferent host
http://v2.www.example.com/dir/other.htmlDifferent host
http://www.example.com:80/dir/other.htmlPort explicit. Depends on implementation in browser.

Unlike other browsers, Internet Explorer does not include the port in the calculation of the origin, using the Security Zone in its place.

Security applications

The same-origin policy helps protect sites that use authenticated sessions. The following example illustrates a potential security risk that could arise without the same-origin policy. Assume that a user is visiting a banking website and doesn't log out. Then, the user goes to another site that has some malicious JavaScript code running in the background that requests data from the banking site. Because the user is still logged in on the banking site, the malicious code could do anything the user could do on the banking site. For example, it could get a list of the user's last transactions, create a new transaction, etc. This is because the browser can send and receive session cookies to the banking site based on the domain of the banking site.
The user visiting the malicious site would expect that the site he or she is visiting has no access to the banking session cookie. While it is true that the JavaScript has no direct access to the banking session cookie, it could still send and receive requests to the banking site with the banking site's session cookie. Because the script can essentially do the same as the user would do, even CSRF protections by the banking site would not be effective.

Relaxing the same-origin policy

In some circumstances, the same-origin policy is too restrictive, posing problems for large websites that use multiple subdomains. At first, a number of workarounds such as using the fragment identifier or the window.name property were used to pass data between documents residing in different domains. Modern browsers support multiple techniques for relaxing the same-origin policy in a controlled manner:

Data tainting

briefly contained a taint checking feature. The feature was experimentally introduced in 1997 as part of Netscape 3. The feature was turned off by default, but if enabled by a user it would allow websites to attempt to read JavaScript properties of windows and frames belonging to a different domain. The browser would then ask the user whether to permit the access in question.

document.domain property

If two windows contain scripts that set domain to the same value, the same-origin policy is relaxed for these two windows, and each window can interact with the other. For example, cooperating scripts in documents loaded from orders.example.com and catalog.example.com might set their document.domain properties to “example.com”, thereby making the documents appear to have the same origin and enabling each document to read properties of the other. Setting this property implicitly sets the port to null, which most browsers will interpret differently from port 80 or even an unspecified port. To assure that access will be allowed by the browser, set the document.domain property of both pages.
The document.domain concept was introduced as part of Netscape Navigator 3, released in 1996.

Cross-Origin Resource Sharing

The other technique for relaxing the same-origin policy is standardized under the name Cross-Origin Resource Sharing. This standard extends HTTP with a new Origin request header and a new Access-Control-Allow-Origin response header. It allows servers to use a header to explicitly list origins that may request a file or to use a wildcard and allow a file to be requested by any site. Browsers such as Firefox 3.5, Safari 4 and Internet Explorer 10 use this header to allow the cross-origin HTTP requests with XMLHttpRequest that would otherwise have been forbidden by the same-origin policy.

Cross-document messaging

Another technique, cross-document messaging allows a script from one page to pass textual messages to a script on another page regardless of the script origins. Calling the postMessage method on a Window object asynchronously fires an "onmessage" event in that window, triggering any user-defined event handlers. A script in one page still cannot directly access methods or variables in the other page, but they can communicate safely through this message-passing technique.

JSONP

Since HTML