Product SiteDocumentation Site

3.2.1. Same origin policy

One of the most important concepts in web applications is same origin policy. It is a protection mechanism implemented by modern web browsers that isolates web applications from each other on the client side. This isolation is performed on domain names under the assumption that content from different domains comes from different entities. In theory, this means every domain has its own trust domain and interaction across domains is restricted. In practice, there are multiple ways of bypassing this mechanism, malicious ones often creating confused deputy problem where client`s browser is tricked into submitting attacker-specified request under his authority.
Same origin policy prevents Javascript and other scripting languages to access DOM across domains. In addition it also applies to XMLHttpRequest Javascript API provided by browsers and prohibits page of sending XMLHttpRequest requests against different domains. On the downside, actual implementation by different browsers may vary in important details. Since the actual behaviour depends on implementation in each browser, each vendor usually implements some exceptions intended to help web developers, which reduce the reliability of this mechanism.
Same origin policy
Two pages share the same origin if the protocol, hostname and port are the same for both.
Following is a table with outcome of same origin policy check against URL http://web.company.com/~user1
Table 3.1. Sample CALS Table
URL Outcome Reason
http://web.company.com/~user2 Success
https://web.company.com/~user1 Fail Different protocol
http://store.company.com/~user1 Fail Different hostname
https://web.company.com:81/~user1 Fail Different port

As the example above shows, if a company servers webpages of users from the same domain web.company.com, then pages of individual users are not restricted by same origin policy when accessing each other, as they are coming from the same domain.
Browsers treat hostname of server as string literal, which creates another exceptional case: even if IP address of company.com is 10.20.30.40, browser will enforce same origin policy between http://company.com and http://10.20.30.40.

3.2.1.1. Setting document.domain

A page can also define its origin by setting document.domain property to a fully-qualified suffix of the current hostname. When two pages have defined the same document.domain, same origin policy is not applied. However, document.domain has to be specified mutually - it is not enough for just one page to specify its document.domain. Also, when document.domain property is set, port is set to null, while still being checked. This means company.com:8080 cannot bypass same origin policy and access company.com by setting document.domain = "company.com", as their ports (null vs 80) differ.
However, document.domain has several issues:
  • When web.company.com and storage.company.com need to share resources and set document.domain = company.com, any subdomain can set its document.domain and access both of them, even though this access was not intended to be permitted.
  • When this mechanism cannot be used, cross-domain requests are forbidden even for legitimate use, which creates problem for websites that use multiple (sub)domains.

3.2.1.2. Unrestricted operations

Same Origin Policy restricts Javascript access to DOM and XMLHttpRequest across domains. However, there are multiple operations that are not restricted:
  • Javascript embedding with <script src=".."><script>
  • CSS embedding with <link rel="stylesheet" href="...">
  • Anything with <frame> and <iframe>
  • .. and others

3.2.1.3. References: