Same-Origin Policy (SOP)
What is Same-Origin Policy (SOP)?
Same-Origin Policy (SOP)Browser security rule that restricts how a document or script loaded from one origin can interact with a resource from a different origin.
The Same-Origin Policy is the foundational isolation boundary of the web. Two URLs share an origin only when their scheme, host, and port all match; otherwise the browser blocks scripts from reading responses, accessing the DOM of cross-origin frames, or inspecting cookies that belong to another site. SOP prevents a malicious page from silently stealing the contents of a banking session opened in another tab. It is selectively relaxed by mechanisms such as CORS, postMessage, and JSONP. Misconfigured exceptions are a frequent root cause of cross-origin data leakage and authentication bypass bugs.
● Frequently asked questions
What is Same-Origin Policy (SOP)?
Browser security rule that restricts how a document or script loaded from one origin can interact with a resource from a different origin. It belongs to the Application Security category of cybersecurity.
What does Same-Origin Policy (SOP) mean?
Browser security rule that restricts how a document or script loaded from one origin can interact with a resource from a different origin.
How does Same-Origin Policy (SOP) work?
The Same-Origin Policy is the foundational isolation boundary of the web. Two URLs share an origin only when their scheme, host, and port all match; otherwise the browser blocks scripts from reading responses, accessing the DOM of cross-origin frames, or inspecting cookies that belong to another site. SOP prevents a malicious page from silently stealing the contents of a banking session opened in another tab. It is selectively relaxed by mechanisms such as CORS, postMessage, and JSONP. Misconfigured exceptions are a frequent root cause of cross-origin data leakage and authentication bypass bugs.
How do you defend against Same-Origin Policy (SOP)?
Defences for Same-Origin Policy (SOP) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Same-Origin Policy (SOP)?
Common alternative names include: SOP.
● Related terms
- appsec№ 223
CORS (Cross-Origin Resource Sharing)
A browser-enforced mechanism that lets a server selectively relax the Same-Origin Policy so that JavaScript on one origin can read responses from another.
- attacks№ 240
Cross-Site Scripting (XSS)
A web vulnerability that allows attackers to inject malicious scripts into pages viewed by other users, executing in the victim's browser under the site's origin.
- attacks№ 239
Cross-Site Request Forgery (CSRF)
A web attack that forces an authenticated user's browser to send unwanted requests to a vulnerable site, causing state-changing actions without consent.
- appsec№ 214
Content Security Policy (CSP)
An HTTP response header that tells the browser which sources of scripts, styles, frames and other content are allowed, limiting the impact of XSS and data-injection attacks.
- appsec№ 516
iframe sandbox
HTML attribute that applies extra restrictions to an iframe's content, blocking scripts, forms, navigation, and same-origin access unless explicitly re-enabled.
- appsec№ 690
Mixed Content
Situation where an HTTPS page loads subresources (scripts, styles, images, XHR) over plain HTTP, weakening the page's overall security guarantees.
● See also
- № 911Referrer Policy
- № 681MIME Sniffing
- № 224CORS Misconfiguration
- № 566JSONP Vulnerability
- № 1051Site Isolation