Introduction
Today, New browsers provide many built-in security mechanisms to protect against cyberattacks. The Content-Security-Policy, Cookies Policy, Same Origin Policy are few of them.
These built-in mechanisms can not protect us fully, but they provide an extra layer of security that can make hackers work hard.
Here we are going to discuss a browser feature SOP (Same-origin policy).
Same Origin Policy
Before SOP, we need to understand “What is origin”. In this context, origin denotes the exact location of a specific resource such as script, documents, etc.
Mainly origin consists of three elements, The hostname (test.com), the protocol (HTTP or HTTPS), and the ports (80, 443, 8080).
At the time of SOP checks, the browser compares the origin location with the requested resource location.
EXAMPLE: Let’s compare the origin location of this http://old.test.com/dir/ with tables.
URL | Result | Reason |
http://old.test.com/dir2/index.html | Same-origin | Same host, protocol, port (only the path differs) |
https://old.test.com/dir2/ | Failure | Different protocol |
http://old.test.com/dir/other.html | Same-origin | only the path differs |
http://old.test.com:81/dir/page.html | Failure | Different Port no. |
http://new.test.com/dir/page.html | Failure | Different Hostname |
The same-origin policy is an important security feature of any browser, Its main purpose is to restrict cross-origin resource sharing like documents, scripts, or media files from one origin to a different origin.
SOP is applicable for a script, documents, It means resources like CSS, Image, etc. can be accessed across origin via the corresponding HTML tags.
Conclusion
A browser can load and display resources from multiple sites and can embed multiple iframes from different sites. If there is no restriction on the browser, a script can be compromised by a hacker, and the script could expose everything in a user’s browser.
Here, SOP acts as a gatekeeper and restricts read access to a resource loaded from a different origin.
Secure your E-commerce store with Webkul through its basic security module.
In case of any help or query, please contact us or raise a ticket.