Same origin policy

Same origin policy

In computing, the same origin policy is an important security measure for client-side scripting (mostly JavaScript). The policy dates from Netscape Navigator 2.0, with necessary coverage fixes in Navigator 2.01 and Navigator 2.02. It prevents a document or script loaded from one "origin" from getting or setting properties of a document from a different "origin".

Access restriction

The philosophy of the same origin policy is simple: the browser should not trust content loaded from arbitrary websites. Web pages run within the sandbox are prevented from accessing resources from other origins. Without this protection, a malicious web page could compromise the confidentiality or integrity of another web page.

The term "origin" is defined using the domain name, protocol and port. Two pages belong to the same origin if and only if these three values are the same. To illustrate, the following table gives examples of potential outcomes and comparisons to the URL "http://www.example.com/dir/page.html".

By using relative URLs and limiting the use to URLs in the same origin, this restriction can be easily avoided.

For communication between a domain and its subdomain, the restriction can be overcome by setting the DOM property document.domain to the parent domain. Example: If a script from http://en.example.com sets document.domain="example.com", it can access content from http://example.com .

Overcoming access restriction

It is possible to "overcome" this restriction by signing the script. However, in practice signed script is rarely used. This is mainly because Internet Explorer does not support signed scripts, and not everyone can afford a widely recognized digital signature, especially not casual web developers. Even if the script is signed, a prompt window would appear whenever the script required access to extended privileges. This is another security measure (as a signed script is not necessarily a script that can be trusted): it is trusted that the script comes from that origin, but it is still unknown what the script actually does.

The same-origin policy is overcome when users save the untrusted HTML files and run them from the local filesystem. This makes it possible for a locally-run HTML file to, for instance, retrieve data from the local filesystem. The information [http://www.gnucitizen.org/blog/web-pages-from-hell here] and [http://www.gnucitizen.org/blog/web-pages-from-hell-2 here] explain some of the potential problems, however applications such as [http://www.tiddlywiki.com TiddlyWiki] use this ability to save changes locally and simplify the XMLHttpRequest process.

It is also possible to implement a proxy script on the server.

JSON

While it is not possible to directly query websites for data due to the same origin policy, the <script> tag does not honor the same-origin policy and can be used in conjunction with JSON.

DNS rebinding

The DNS basis of the same origin policy can be subverted by setting a very low TTL at an attacker's DNS server and returning forged responses to subsequent DNS requests.

Session hijack

:"Main article: Cross-site request forgery

The same-origin policy doesn't restrict posting data (via POST or GET method). The javascript can still send HTTP POST/GET request to any domain, but it just can't access the contents of the data returned from that request (because of same-origin policy). The stored cookies will be sent along with that HTTP request. It can then hijack the cookies session, and do any transaction blindly.

Some web applications, prevent this session hijack by adding another credential token into the request form. This token is embeded in HTML, and can't be read by the script on the other domain due to same-origin policy. The field "wpEditToken" in the edit form of MediaWiki software is an example of this.

Vendor adoption

This policy is used in modern web browsers that support client-side scripting. Internet Explorer uses an alternative approach of [http://www.microsoft.com/windows/ie/using/howto/security/settings.mspx security zones] in addition to the same-origin (or "same-site") policy. By default in Internet Explorer, internet web sites are restricted to their site-of-origin, but the user may choose to allow local intranet sites (or sites that they have explicitly trusted) to access data across domains (up to Internet Explorer 5). This is useful for certain types of applications that need to aggregate data from multiple sites, such as trusted internal portals.

ee also

*Cross-site scripting
*Cross-site request forgery

External links

* [http://www.mozilla.org/projects/security/components/same-origin.html JavaScript Security: Same Origin (Mozilla)]
* [http://www.jsdir.com/red/jssecurity.pdf JavaScript Security in Communicator 4.x (PDF)]
* [http://web.archive.org/web/20050404123540/http://jpspan.sourceforge.net/wiki/doku.php?id=javascript:xmlhttprequest:behaviour#security Violating Same Origin Policy with XMLHttp: Cross-Browser Differences (SourceForge Wiki)]
* [http://www.devarticles.com/c/a/JavaScript/JavaScript-Security/1/ Second page of an article on JavaScript Security (focuses on Same Origin issues)]
* [http://taossa.com/index.php/2007/02/08/same-origin-policy/ Same-Origin Policy Part 1: Why we’re stuck with things like XSS and XSRF/CSRF]


Wikimedia Foundation. 2010.

Игры ⚽ Поможем написать курсовую

Look at other dictionaries:

  • Same-Origin-Policy — Die Same Origin Policy (SOP) ist ein Sicherheitskonzept, das es JavaScript und ActionScript nur dann erlaubt, auf Objekte einer anderen Webseite zuzugreifen, wenn sie aus derselben Quelle (Origin) stammen. Sie stellt ein wesentliches… …   Deutsch Wikipedia

  • Same Origin Policy — Zu diesem Stichwort gibt es keinen Artikel. Möglicherweise ist „Same Origin Policy“ gemeint. Kategorie: Wikipedia:Falschschreibung …   Deutsch Wikipedia

  • Cross-origin resource sharing — Эту статью следует викифицировать. Пожалуйста, оформите её согласно правилам оформления статей …   Википедия

  • Same-sex marriage in New Mexico — Same sex marriages are not performed in the state of New Mexico, which also does not provide civil unions or domestic partnerships. New Mexico is one of three states (the others being New York and Rhode Island)… …   Wikipedia

  • Cross-Origin Resource Sharing — (CORS) is a web browser technology specification, which defines ways for a web server to allow its resources be accessed by a web page from a different domain.[1] Such access would otherwise be forbidden by the same origin policy. Contents 1… …   Wikipedia

  • Origin of the Romanians — History of Romania This article is part of a series Prehistory …   Wikipedia

  • Same-sex marriage — Legal recognition of same sex relationships Marriage Argentina Belgium Canada Iceland …   Wikipedia

  • Origin of Latter Day Saint polygamy — Mormonism and polygamy Members of Joseph F. Smith s family, including his sons and daughters, as well as their spouses and children, circa 1900 …   Wikipedia

  • Origin and development of the Qur'an — The study of the origins and development of the Qur’an can be said to fall into two major schools of thought, the first being a traditionalist Muslim view and the later being a non traditionalist view.According to the traditionalist view, the Qur …   Wikipedia

  • Origin of the Gupta dynasty — The history of the Gupta dynasty (Sanskrit: गुप्त राजवंश) begins with its founding by Sri Gupta around 240 CE, although dates are not well established. The empire covered most of Northern India and Eastern Pakistan, parts of Gujarat and Rajasthan …   Wikipedia

Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”