LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What is the Same-Origin Policy (SOP) and what does an "origin" consist of?

The browser rule that a script loaded from origin A may not read data from origin B. An origin is the triple (scheme, host, port) — all three must match.

Without SOP, evilcom's JavaScript running in one tab could read your bank's cookies, DOM, and HTML5 storage in another tab. SOP is what makes the multi-app browser model survivable.

Origin examples — which match https://example.com:443?

URL Same origin? Why
https://example.com/path Default port 443, same scheme + host
http://example.com Different scheme
https://example.com:8080 Different port
https://api.example.com Different host (subdomain counts as different)
https://www.example.com Different host

What SOP restricts:

  • Reading DOM of another origin (cross-frame).
  • Reading the response body of fetch/XMLHttpRequest to another origin (unless CORS allows it).
  • Reading another origin's cookies (document.cookie), localStorage, IndexedDB.

What SOP doesn't restrict (and why CSRF exists):

  • Sending a request to another origin — <img>, <form>, <script src> all happily make cross-origin requests, the browser just won't let JS read the response.

Tip: CORS (Access-Control-Allow-Origin) is the controlled relaxation of SOP for legitimate cross-origin APIs. Wide-open Access-Control-Allow-Origin: * plus credentials is a common misconfiguration.

From Quiz: ISF / Web Application Security Basics | Updated: Jul 14, 2026