a critical (browser) security mechanism that restricts how a document or script loaded from one origin can interact with a resource from another origin. It helps isolate potentially malicious documents, reducing possible attack vectors. https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy
to scripts or programming languages DOM is a programming interface for HTML and XML documents DOM represents the page so that programs can change the document structure, style, and content https://developer.mozilla.org/en-US/docs/Web/API/Document_Object_Model
and gets a seperate JavaScript execution context Frames/Iframes can manipulate the parent location using window.parent.location even if the parent has different origin
servers Using XHR you can retrieve data from a URL without having to do a full page refresh XHR can be used to retrieve any type of data, not just XML, and it supports protocols other than HTTP XHR requests can be made with cookies and custom HTTP headers https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest
windows with same origin Origin-specific storage that survives browser shutdowns Session storage Accessible only to current window Cleared when the window is closed https://developer.mozilla.org/en-US/docs/Web/API/Storage
vary from SOP rules The Domain and Path directives define the scope of the cookie: what URLs the cookies should be sent to Cookies are identified by (name, domain, path) Set-Cookie: <cookie-name>=<cookie-value>; Domain=<domain-value
the domain portion of the origin of the current document This property can be used by two cooperating websites that share a common top-level domain to agree that for the purpose of future same-origin checks they want to be viewed as same origin This feature although looks simple, it is a security tarpit
cross window communications between non-same- origin sites The window.postMessage() method safely enables cross-origin communication between Window objects; e.g., between a page and a pop-up that it spawned, or between a page and an iframe embedded within it
a mechanism that uses additional HTTP headers to tell a browser to let a web application running at one origin (domain) have permission to access selected resources from a server at a different origin. https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
CORS request doesn't trigger pre-flight request Browser makes a GET/POST/HEAD request and the server responds with Access-Control-Allow- Origin headers Access-Control-Allow-Origin let's the server determine which origins are allowed to read the responses
exposed by both XMLHttpRequest or Fetch and CORS is the ability to make "credentialed" requests that are aware of HTTP cookies and HTTP Authentication information
the XMLHttpRequest request made has to set withCredentials to true in order to make the invocation with Cookies On the server side, the server has to send Access- Control-Allow-Credentials: true header to let the browser know that the server agrees to share response of a request made with credentials
go wrong? Assisted suicide for the application! Almost all browsers don't support this setting! Access-Control-Allow-Origin: "*" Access-Control-Allow-Credentials: true
the browser makes a cross- domain request (a request to another domain) it adds an origin header. That header has the value of the domain the request originates from, almost like the referer header. https://blog.detectify.com/2018/04/26/cors-misconfigurations-explained/
Web: A Guide to Securing Modern Web Applications Same-origin policy: The core of web security by Kirk Jackson Same-Origin Policy: Evaluation in Modern Browsers, USENIX Security 2017 Learn SOP while modeling with Alloy The Browser Hacker's Handbook https://portswigger.net/blog/exploiting-cors-misconfigurations-for-bitcoins-and- bounties