You are on page 1of 1

Same Origin Policy ( SOP )

vrijdag 26 februari 2010



In practice, there is no single Same Origin Policy, but rather, a set of mechanisms with some superficial resemblance, but quite a few important differences. The following list covers the major actions that cause the browser to check access against the same origin policy:

manipulating browser windows

• URLs requested via the XmlHttpRequest

manipulating frames

manipulating documents

manipulating cookies

The above restrictions don’t limit all interaction, however. There is no limitation on including documents from other sources in HTML tag elements. It’s fairly common for images, style sheets, and scripts to be included from other domains. In fact, the only time same origin explicitly restricts document retrieval is when the XmlHttpRequest method is used.

Same Origin policy for DOM access

This mechanism governs the ability for JavaScript and other scripting languages to access DOM properties and methods across domains The mechanisme uses the read/write JavaScript property document.domain which is set to the domain of the current page To check whether sites can communicate two checks must be passed :

• The protocol, port for non Microsoft Internet Explorer and host of the document.domain’s are the same

• Either both document.domain properties have been altered, or neither have

To illustrate, the following table gives the overview of typical outcomes for checks against the URL

Compared URL Outcome Reason OK Same protocol and host OK Same
Compared URL
Outcome Reason
Same protocol and host
Same protocol and host
Same protocol and host but different port FAILED
Different protocol
Different host FAILED
Different host (exact match required) FAILED
Different host (exact match required)

Same Origin policy for XMLHttpRequest

The set of checks implemented in all browsers for XMLHttpRequest is a close variation of DOM same origin policy, with the following changes:

• Checks for XMLHttpRequest targets do not take document.domain into account Making it therefore impossible for third party sites to mutually agree to permit cross domain requests between them.

• In some implementations, there are additional restrictions on protocols, header fields, and HTTP methods for which the functionality is available, or HTTP response codes which would be shown to scripts (see later).

• In Microsoft Internet Explorer, although port number is not taken into account for "proper" DOM access same origin checks, it is taken into account for XMLHttpRequest.

checks, it is taken into account for XMLHttpRequest. Note again the exclusion of document.domain makes any

Note again the exclusion of document.domain makes any sort of clientside cross domain communications through XMLHttpRequest impossible Additional implementation specific restrictions can be reviewed at rowsersec/wiki/Part2#Same origin_policy_for_XMLHttpRequest

References origin_policy Demand_Javascript

Fundamentals Pagina 1