In this section we explain what the same-origin policy (SOP) is and how it is implemented.
The same-origin policy is a web browser security mechanism that aims to prevent websites from attacking each other.
The same-origin policy restricts scripts on one origin from accessing data from another origin. An origin consists of a URI scheme, domain and port number. For example, consider the following URL:
This uses the scheme http, the domain normal-website.com, and the port number 80. The following table shows how the same-origin policy will be applied if content at the above URL tries to access other origins:
|URL accessed||Access permitted?|
|http://normal-website.com/example/||Yes: same scheme, domain, and port|
|http://normal-website.com/example2/||Yes: same scheme, domain, and port|
|https://normal-website.com/example/||No: different scheme and port|
|http://en.normal-website.com/example/||No: different domain|
|http://www.normal-website.com/example/||No: different domain|
|http://normal-website.com:8080/example/||No: different port*|
*Internet Explorer will allow this access because IE does not take account of the port number when applying the same-origin policy.
When a browser sends an HTTP request from one origin to another, any cookies, including authentication session cookies, relevant to the other domain are also sent as part of the request. This means that the response will be generated within the user's session, and include any relevant data that is specific to the user. Without the same-origin policy, if you visited a malicious website, it would be able to read your emails from GMail, private messages from Facebook, etc.
There are various exceptions to the same-origin policy:
Due to legacy requirements, the same-origin policy is more relaxed when dealing with cookies, so they are often accessible from all subdomains of a site even though each subdomain is technically a different origin. You can partially mitigate this risk using the HttpOnly cookie flag.
It's possible to relax same-origin policy using document.domain. This special property allows you to relax SOP for a specific domain, but only if it's part of your FQDN (fully qualified domain name). For example, you might have a domain marketing.example.com and you would like to read the contents of that domain on example.com. To do so, both domains need to set document.domain to example.com. Then SOP will allow access between the two domains despite their different origins. In the past it was possible to set document.domain to a TLD such as com, which allowed access between any domains on the same TLD, but now modern browsers prevent this.