Same origin policy

From Wikipedia, the free encyclopedia

Jump to: navigation, search

In computing, the same origin policy is an important security concept for a number of browser-side programming languages, such as JavaScript. In a nutshell, the policy permits scripts running on pages originating from the same site to access each other's methods and properties with no specific restrictions — but prevents access to most methods and properties across pages on different sites.

This mechanism bears a particular significance for modern web applications that extensively depend on HTTP cookies to maintain authenticated user sessions, as servers act based on the HTTP cookie information to reveal sensitive information or take state-changing actions. A strict separation between content provided by unrelated sites must be maintained on client side to prevent the loss of data confidentiality or integrity.


[edit] History

The concept of same origin policy dates back to Netscape Navigator 2.0; close derivatives of the original design are used in all current browsers, and often extended to define roughly compatible security boundaries for other web scripting languages, such as Adobe Flash, or for mechanisms other than direct DOM manipulation (e.g., XMLHttpRequest).

[edit] Origin determination rules

The term "origin" is defined using the domain name, application layer protocol, and (in most browsers) TCP port of the HTML document running the script. Two resources are considered to be of the same origin if and only if all these values are exactly the same. To illustrate, the following table gives the overview of typical outcomes for checks against the URL "".

Compared URL Outcome Reason Success Same protocol and host Success Same protocol and host Failure Same protocol and host but different port Failure Different protocol Failure Different host Failure Different host (exact match required) Failure Different host (exact match required)

[edit] Additional document.domain logic

An important extension to the same origin policy implemented for JavaScript DOM access (but not for most of the other flavors of same-origin checks) is that two sites sharing a common top-level domain may opt to communicate despite failing the "same host" check by mutually setting their respective document.domain DOM property to the same qualified, right-hand fragment of their current host name.

For example, if and both set document.domain to "", they would be from that point on considered same-origin for the purpose of DOM manipulation.

[edit] Corner cases and exceptions

The behavior of same-origin checks and related mechanisms is not well-defined in a number of corner cases, such as for protocols that do not have a clearly defined host name or port associated with their URLs (file:, data:, etc). This historically caused a fair number of security problems, such as the generally undesirable ability of any locally stored HTML file to access all other files on the disk, or communicate with any site on the Internet.

In addition, many legacy cross-domain operations predating JavaScript are not subjected to same-origin checks; one such example is the ability to include scripts across domains, or submit POST forms.

Lastly, certain types of attacks, such as DNS rebinding or server-side proxies, permit the host name check to be partly subverted, and make it possible for rogue web pages to directly interact with sites other than their true origin. The impact of such attacks is limited to very specific scenarios, as the browser is still believing it is interacting with attacker's site, and hence does not disclose third-party cookies or other sensitive information to the attacker.

[edit] See also

[edit] External links

Personal tools