Quiz Entry - updated: 2026.07.14
What is the Same-Origin Policy (SOP) and what does an "origin" consist of?
The browser rule that a script loaded from origin A may not read data from origin B. An origin is the triple (scheme, host, port) — all three must match.
Without SOP, evilcom's JavaScript running in one tab could read your bank's cookies, DOM, and HTML5 storage in another tab. SOP is what makes the multi-app browser model survivable.
Origin examples — which match https://example.com:443?
| URL | Same origin? | Why |
|---|---|---|
https://example.com/path |
✅ | Default port 443, same scheme + host |
http://example.com |
❌ | Different scheme |
https://example.com:8080 |
❌ | Different port |
https://api.example.com |
❌ | Different host (subdomain counts as different) |
https://www.example.com |
❌ | Different host |
What SOP restricts:
- Reading DOM of another origin (cross-frame).
- Reading the response body of
fetch/XMLHttpRequestto another origin (unless CORS allows it). - Reading another origin's cookies (
document.cookie), localStorage, IndexedDB.
What SOP doesn't restrict (and why CSRF exists):
- Sending a request to another origin —
<img>,<form>,<script src>all happily make cross-origin requests, the browser just won't let JS read the response.
Tip: CORS (Access-Control-Allow-Origin) is the controlled relaxation of SOP for legitimate cross-origin APIs. Wide-open Access-Control-Allow-Origin: * plus credentials is a common misconfiguration.