Same origin policy
Encyclopedia
In computing
, the same origin policy is an important security
concept for a number of browser-side programming languages
, such as JavaScript
. The policy permits scripts running on pages originating from the same site to access each other's methods and properties with no specific restrictions, but prevents access to most methods and properties across pages on different sites.
This mechanism bears a particular significance for modern web applications that extensively depend on HTTP cookie
s to maintain authenticated user sessions, as servers act based on the HTTP cookie information to reveal sensitive information or take state-changing actions. A strict separation between content provided by unrelated sites must be maintained on client side to prevent the loss of data confidentiality or integrity.
2.0. Close derivatives of the original design are used in all current browsers and are often extended to define roughly compatible security boundaries for other web scripting languages, such as Adobe Flash
, or for mechanisms other than direct DOM manipulation, such as XMLHttpRequest
.
, application layer protocol
, and (in most browsers) port number
of the HTML document running the script. Two resources are considered to be of the same origin if and only if all these values are exactly the same. To illustrate, the following table gives an overview of typical outcomes for checks against the URL
"http://www.example.com/dir/page.html ".
For example, ifhttp://en.example.com/ and http://fr.example.com/ both set
, data:, etc.). This historically caused a fair number of security problems, such as the generally undesirable ability of any locally stored HTML file to access all other files on the disk, or communicate with any site on the Internet.
In addition, many legacy cross-domain operations predating JavaScript are not subjected to same-origin checks; one such example is the ability to include scripts across domains, or submit POST forms
. JSONP is a popular cross-domain alternative to XMLHttpRequest
(Ajax
).
Lastly, certain types of attacks, such as DNS rebinding
or server-side proxies
, permit the host name check to be partly subverted, and make it possible for rogue web pages to directly interact with sites through addresses other than their "true", canonical origin. The impact of such attacks is limited to very specific scenarios, since the browser still believes that it is interacting with the attacker's site, and therefore does not disclose third-party cookies or other sensitive information to the attacker.
and Cross-Origin Resource Sharing
can also be used to enable AJAX-like calls to other domains.
For supporting older browsers, the JavaScript library easyXDM can be used to provide a unified API for the `postMessage` interface as well as a number of hacks used to allow Cross Domain Messaging (XDM).
Computing
Computing is usually defined as the activity of using and improving computer hardware and software. It is the computer-specific part of information technology...
, the same origin policy is an important security
Computer security
Computer security is a branch of computer technology known as information security as applied to computers and networks. The objective of computer security includes protection of information and property from theft, corruption, or natural disaster, while allowing the information and property to...
concept for a number of browser-side programming languages
Client-side scripting
Client-side scripting generally refers to the class of computer programs on the web that are executed client-side, by the user's web browser, instead of server-side...
, such as JavaScript
JavaScript
JavaScript is a prototype-based scripting language that is dynamic, weakly typed and has first-class functions. It is a multi-paradigm language, supporting object-oriented, imperative, and functional programming styles....
. The policy permits scripts running on pages originating from the same site to access each other's methods and properties with no specific restrictions, but prevents access to most methods and properties across pages on different sites.
This mechanism bears a particular significance for modern web applications that extensively depend on HTTP cookie
HTTP cookie
A cookie, also known as an HTTP cookie, web cookie, or browser cookie, is used for an origin website to send state information to a user's browser and for the browser to return the state information to the origin site...
s to maintain authenticated user sessions, as servers act based on the HTTP cookie information to reveal sensitive information or take state-changing actions. A strict separation between content provided by unrelated sites must be maintained on client side to prevent the loss of data confidentiality or integrity.
History
The concept of same origin policy dates back to Netscape NavigatorNetscape Navigator
Netscape Navigator was a proprietary web browser that was popular in the 1990s. It was the flagship product of the Netscape Communications Corporation and the dominant web browser in terms of usage share, although by 2002 its usage had almost disappeared...
2.0. Close derivatives of the original design are used in all current browsers and are often extended to define roughly compatible security boundaries for other web scripting languages, such as Adobe Flash
Adobe Flash
Adobe Flash is a multimedia platform used to add animation, video, and interactivity to web pages. Flash is frequently used for advertisements, games and flash animations for broadcast...
, or for mechanisms other than direct DOM manipulation, such as XMLHttpRequest
XMLHttpRequest
XMLHttpRequest is an API available in web browser scripting languages such as JavaScript. It is used to send HTTP or HTTPS requests directly to a web server and load the server response data directly back into the script. The data might be received from the server as XML text or as plain text...
.
Origin determination rules
The term "origin" is defined using the domain nameDomain name
A domain name is an identification string that defines a realm of administrative autonomy, authority, or control in the Internet. Domain names are formed by the rules and procedures of the Domain Name System ....
, application layer protocol
Application layer
The Internet protocol suite and the Open Systems Interconnection model of computer networking each specify a group of protocols and methods identified by the name application layer....
, and (in most browsers) port number
TCP and UDP port
In computer networking, a port is an application-specific or process-specific software construct serving as a communications endpoint in a computer's host operating system. A port is associated with an IP address of the host, as well as the type of protocol used for communication...
of the HTML document running the script. Two resources are considered to be of the same origin if and only if all these values are exactly the same. To illustrate, the following table gives an overview of typical outcomes for checks against the URL
Uniform Resource Locator
In computing, a uniform resource locator or universal resource locator is a specific character string that constitutes a reference to an Internet resource....
"
Compared URL | Outcome | Reason |
---|---|---|
|
Same protocol and host | |
|
Same protocol and host | |
|
Same protocol and host but different port | |
|
Different protocol | |
|
Different host | |
|
Different host (exact match required) | |
|
Different host (exact match required) |
Additional document.domain logic
An important extension to the same origin policy implemented for JavaScript DOM access (but not for most of the other flavors of same-origin checks) is that two sites sharing a common top-level domain may opt to communicate despite failing the "same host" check by mutually setting their respectivedocument.domain
DOM property to the same qualified, right-hand fragment of their current host name.For example, if
document.domain
to "example.com", they would be from that point on considered same-origin for the purpose of DOM manipulation.Corner cases and exceptions
The behavior of same-origin checks and related mechanisms is not well-defined in a number of corner cases, such as for protocols that do not have a clearly defined host name or port associated with their URLs (file:File URI scheme
The file URI scheme is a URI scheme specified in RFC 1630 and RFC 1738, typically used to retrieve files from within one's own computer.- Format :A file URL takes the form of file://host/path...
, data:, etc.). This historically caused a fair number of security problems, such as the generally undesirable ability of any locally stored HTML file to access all other files on the disk, or communicate with any site on the Internet.
In addition, many legacy cross-domain operations predating JavaScript are not subjected to same-origin checks; one such example is the ability to include scripts across domains, or submit POST forms
Cross-site request forgery
Cross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts...
. JSONP is a popular cross-domain alternative to XMLHttpRequest
XMLHttpRequest
XMLHttpRequest is an API available in web browser scripting languages such as JavaScript. It is used to send HTTP or HTTPS requests directly to a web server and load the server response data directly back into the script. The data might be received from the server as XML text or as plain text...
(Ajax
Ajax (programming)
Ajax is a group of interrelated web development methods used on the client-side to create asynchronous web applications...
).
Lastly, certain types of attacks, such as DNS rebinding
DNS rebinding
DNS rebinding is a form of computer attack. In this attack, a malicious web page causes visitors to run a client-side script that attacks machines elsewhere on the network. In theory, the same-origin policy prevents this from happening: client-side scripts are only allowed to access content on the...
or server-side proxies
Proxy server
In computer networks, a proxy server is a server that acts as an intermediary for requests from clients seeking resources from other servers. A client connects to the proxy server, requesting some service, such as a file, connection, web page, or other resource available from a different server...
, permit the host name check to be partly subverted, and make it possible for rogue web pages to directly interact with sites through addresses other than their "true", canonical origin. The impact of such attacks is limited to very specific scenarios, since the browser still believes that it is interacting with the attacker's site, and therefore does not disclose third-party cookies or other sensitive information to the attacker.
Workarounds
To enable developers to, in a controlled manner, circumvent the Same Origin Policy, a number of 'hacks' such as using the Fragment Identifier, or the `window.name` property have been used to pass data between documents residing in different domains. With the HTML5 standard a method was formalized for this: the `postMessage` interface, which is only available on recent browsers. JSONPJSONP
JSONP or "JSON with padding" is a complement to the base JavaScript Object Notation JSON data format, a pattern of usage allowing a page to request data from a server in a different domain...
and Cross-Origin Resource Sharing
Cross-Origin Resource Sharing
Cross-Origin Resource Sharing is a web browser technology specification, which defines ways for a web server to allow its resources be accessed by a web page from a different domain...
can also be used to enable AJAX-like calls to other domains.
For supporting older browsers, the JavaScript library easyXDM can be used to provide a unified API for the `postMessage` interface as well as a number of hacks used to allow Cross Domain Messaging (XDM).
See also
- Cross-Origin Resource SharingCross-Origin Resource SharingCross-Origin Resource Sharing is a web browser technology specification, which defines ways for a web server to allow its resources be accessed by a web page from a different domain...
- Cross-site scriptingCross-site scriptingCross-site scripting is a type of computer security vulnerability typically found in Web applications that enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same...
- Cross-site request forgeryCross-site request forgeryCross-site request forgery, also known as a one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts...
- Cross-document messagingCross-document messagingCross-document messaging, or web messaging, is an API introduced in the WHATWG HTML5 draft specification, allowing documents to communicate with one another across different origins, or source domains. Prior to HTML5, web browsers disallowed cross-site scripting, to protect against security attacks...
External links
- A detailed comparison of several flavors of same-origin policies
- A review of deficiencies in same-origin policies and their implication for web security
- Sample vendor-provided same origin policy specification
- Defeating, breaking and bypassing The Same Origin Policy
- The HTML5 spec's definition of Origin