4. Same Origin Policy :
âThe same-origin policy restricts how a
document or script loaded from one origin can
interact with a resource from another origin.â
- MDN (https://developer.mozilla.org)
7. FYI - IE Exceptions
â Trust Zones:If both domains are in highly trusted zone, then
the same origin limitations are not applied.
â Port : IE doesn't include port into Same Origin component
so http://example.com:80/abc & http://example.com:8080/xyz
are considered from the same origin.
[ Non-standard and not supported in any of other browsers]
8. Same Origin Policy
Changing Origin:
â A page may change its own origin to a suffix of
its current domain.
â But it cannot set its document.domain to
another domain.
10. Same Origin Policy
Cross-Origin Network Access:
â Cross-Origin writes are allowed.
(Examples are links, redirects and form sumissions)
â Cross-Origin embedding is allowed.
â Cross-Origin reads are not allowed.
11. Same Origin Policy
Cross-Origin Embedding:
â JavaScript with <script src="..."></script>.
â CSS with <link rel="stylesheet" href="...">
â Images with <img>.
â Media files with <video> and <audio>.
â Plug-ins with <object>, <embed> and <applet>.
â Anything with <frame> and <iframe>
* Mitigation : X-Frame-Options header.
Reference : https://developer.mozilla.org/en-
US/docs/Web/JavaScript/Same_origin_policy_for_JavaScript
12. How to block cross-origin access :
âą To prevent cross-origin writes, use a random
token.
âąTo prevent cross-origin reads of a resource,
ensure that it is not embeddable.
Reference : https://developer.mozilla.org/en-
US/docs/Web/JavaScript/Same_origin_policy_for_JavaScript
13. How to allow cross-Origin access.
CORS
(To be continued...)