Same Origin Policy
The same-origin policy ( SOP ; German " same-origin policy " ) is a safety concept , the client-side scripting languages such as JavaScript and ActionScript , but also Cascading Style Sheets forbidden access objects (such as graphics), the other by a Website or whose location does not match the Origin . It represents an essential security element in all modern browsers and web applications for protection against attacks.
history
The same-origin policy was introduced by Netscape in 1996 with JavaScript in Netscape Navigator 2.0. It was adopted by other manufacturers in their JavaScript implementations or proprietary scripting languages such as JScript .
background
The background for the great importance of the SOP is essentially the combination of two facts:
- Script languages in the browser have direct access to all communication between the browser and the web server via the Document Object Model (DOM) . This includes the reading out as well as the manipulation of data and concerns not only the receiving but also the sending of data.
- The relationship of trust between the browser (or user) and various websites can be extremely different.
This results in the requirement that no information from one context (for example, the connection of the browser to the page of a bank) may be accessible or manipulated by a script from another context. To achieve this, when a script accesses an object on a website, the origin of both is compared.
Comparison of the origin
The combination of protocol ( e.g. HTTP or HTTPS ), domain and port in the URL is defined as the origin . The SOP is only considered fulfilled and script access is possible if all three are the same.
Examples
A script embedded in the file http://www.example.com/dir/page.html tries to access an element in the following pages:
addressed URL | Result | reason |
---|---|---|
http://www.example.com /dir/page2.html | Yes | same protocol, host and port |
http://www.example.com /dir2/other.html | Yes | same protocol, host and port |
http: // username: password @ www.example.com /dir2/other.html | Yes | same protocol, host and port |
http://www.example.com: 81 /dir/other.html | No | same protocol and host, but different port |
https : //www.example.com/dir/other.html | No | different protocol |
http: // en.example.com /dir/other.html | No | other host |
http: // example.com /dir/other.html | No | other host (exact match required, an exception is possible here, see below) |
http: // v2.www.example.com /dir/other.html | No | other host (exact match required) |
http://www.example.com: 80 /dir/other.html | - | Port unique. Depends on the implementation of the browser. |
Subdomains are an exception : Using a special DOM property, for example, a script from the domain www.example.com can set the context to the higher-level domain example.com and thus access objects from this domain. However, this does not apply to access to other subdomains.
Limits and problems
The limits of the same-origin policy are important in two ways:
- The SOP is not sufficiently effective as a security mechanism. Many current attack methods such as DNS rebinding and cross-site request forgery successfully aim to bypass the SOP.
- On the other hand, the limits drawn by the SOP are in many cases undesirable. Particularly with the advent of Ajax-based applications and mashups, there is a legitimate desire to go beyond the boundaries of the SOP. One possibility is Cross-Origin Resource Sharing (CORS), which allows a server to specifically determine which pages should have access to the response despite their foreign origin. CORS must be explicitly supported by the browser; meanwhile (as of 2020) CORS is supported by almost all browsers.
See also
- Cross site scripting (XSS)
Individual evidence
- ^ Netscape Browser Archive . Retrieved October 12, 2008.
- ↑ Mozilla: Same origin policy for JavaScript . Retrieved October 12, 2008.
swell
- Daniel Bachfeld: Dark spots, new types of attacks take web users by surprise . Heise Security.