Same-Origin-Policy
The same- origin policy (SOP ) is a security concept that client-side scripting languages like JavaScript and ActionScript, but also Cascading Style Sheets prohibited (for example, graphics ) to access objects that originate from another website or their location does not the Origin meets. It provides an essential safety element in all modern browsers and Web applications dar. to protect against attacks
History
The same- origin policy was introduced in 1996 by Netscape with JavaScript in Netscape Navigator 2.0. She was adopted by other manufacturers in their JavaScript implementations or proprietary scripting languages , such as JScript.
Background
The background to the importance of the SOP is essentially the combination of two facts:
- Have scripting languages in the browser via the Document Object Model (DOM) direct access to all communication between the browser and web server. This includes both the reading and manipulating data, and is applicable to the receiving and sending of data.
- The trust relationship between the browser (or user) and various websites can be extremely different.
This leads to the requirement that no information should be ( for example, the connection of the browser to the side of a bank) accessible by a script from another context or manipulated in any context. To achieve this, the access to an object of a script of a web page, the origin ( origin ) is compared by two.
Comparison of the origin ( origin )
As of origin while the combination of protocol (eg http or https), domain and port defined in the URL. Only if all three are equal, the SOP shall be deemed satisfied and the script access is possible.
Examples
A in the file http://www.example.com/dir/page.html embedded script tries to access an item in the following pages:
An exception subdomains: Using a special DOM property, for example a script from the domain www.example.com the context of a higher-level domain, such as example.com set and use it to access objects in this domain.
Limitations and problems
The boundaries of the same- origin policy in two respects:
- The SOP is not sufficiently effective as a safety mechanism. Many current methods of attack such as DNS rebinding and cross-site request forgery successfully targeted to circumvent the SOP.
- On the other hand, the current drawn by the SOP limits undesirable in many cases. Especially with the advent of applications and mashups Ajax- based we have a legitimate desire to exceed the limits of the SOP. One possibility is the Cross - Origin Resource Sharing, this is not supported by all Web browsers.