Same origin policy
From Wikipedia, the free encyclopedia
In computing, the same origin policy is an important security concept for a number of browser-side programming languages, such as JavaScript. In a nutshell, the policy permits scripts running on pages originating from the same site to access each other's methods and properties with no specific restrictions — but prevents access to most methods and properties across pages on different sites.
This mechanism bears a particular significance for modern web applications that extensively depend on HTTP cookies to maintain authenticated user sessions, as servers act based on the HTTP cookie information to reveal sensitive information or take state-changing actions. A strict separation between content provided by unrelated sites must be maintained on client side to prevent the loss of data confidentiality or integrity.
Contents |
[edit] History
The concept of same origin policy dates back to Netscape Navigator 2.0; close derivatives of the original design are used in all current browsers, and often extended to define roughly compatible security boundaries for other web scripting languages, such as Adobe Flash, or for mechanisms other than direct DOM manipulation (e.g., XMLHttpRequest).
[edit] Origin determination rules
The term "origin" is defined using the domain name, application layer protocol, and (in most browsers) TCP port of the HTML document running the script. Two resources are considered to be of the same origin if and only if all these values are exactly the same. To illustrate, the following table gives the overview of typical outcomes for checks against the URL "http://www.example.com/dir/page.html".
Compared URL | Outcome | Reason |
---|---|---|
http://www.example.com/dir/page.html | Success | Same protocol and host |
http://www.example.com/dir2/other.html | Success | Same protocol and host |
http://www.example.com:81/dir2/other.html | Failure | Same protocol and host but different port |
https://www.example.com/dir2/other.html | Failure | Different protocol |
http://en.example.com/dir2/other.html | Failure | Different host |
http://example.com/dir2/other.html | Failure | Different host (exact match required) |
http://v2.www.example.com/dir2/other.html | Failure | Different host (exact match required) |
[edit] Additional document.domain logic
An important extension to the same origin policy implemented for JavaScript DOM access (but not for most of the other flavors of same-origin checks) is that two sites sharing a common top-level domain may opt to communicate despite failing the "same host" check by mutually setting their respective document.domain
DOM property to the same qualified, right-hand fragment of their current host name.
For example, if http://en.example.com/ and http://fr.example.com/ both set document.domain
to "example.com", they would be from that point on considered same-origin for the purpose of DOM manipulation.
[edit] Corner cases and exceptions
The behavior of same-origin checks and related mechanisms is not well-defined in a number of corner cases, such as for protocols that do not have a clearly defined host name or port associated with their URLs (file:, data:, etc). This historically caused a fair number of security problems, such as the generally undesirable ability of any locally stored HTML file to access all other files on the disk, or communicate with any site on the Internet.
In addition, many legacy cross-domain operations predating JavaScript are not subjected to same-origin checks; one such example is the ability to include scripts across domains, or submit POST forms.
Lastly, certain types of attacks, such as DNS rebinding or server-side proxies, permit the host name check to be partly subverted, and make it possible for rogue web pages to directly interact with sites other than their true origin. The impact of such attacks is limited to very specific scenarios, as the browser is still believing it is interacting with attacker's site, and hence does not disclose third-party cookies or other sensitive information to the attacker.