Same-Origin Policy

A critical security mechanism restricting how a document or script loaded by one origin can interact with a resource from another origin.

Internet3 min readConcept 17 of 35

What it is

The Same-Origin Policy (SOP) is a critical security mechanism built into modern web browsers.

It restricts how a document or script loaded by one origin can interact with a resource from another origin. Two URLs have the same origin if and only if they share the exact same **Protocol** (e.g., http vs https), **Port** (e.g., 80 vs 443), and **Host** (e.g., www.example.com vs api.example.com).

Why it matters

SOP matters because it provides the baseline security that protects the user's data.

If you are logged into your bank account in one tab, and you visit an evil hacker's website in another tab, SOP prevents the hacker's scripts from reading your bank account data or making authenticated reads on your behalf. Without SOP, any website could read your personal data from any other website you are logged into.

How it works

SOP doesn't block everything; it categorizes interactions:

**Cross-origin reads are blocked**: You cannot read data from another origin (e.g., reading the DOM of an iframe from another site, or reading the JSON response of a fetch() request).

**Cross-origin writes are allowed**: You can send data to another origin (e.g., submitting an HTML <form>, clicking a link, or redirecting).

**Cross-origin embeds are allowed**: You can display resources from another origin (e.g., <script src="...">, <img>, <video>, <iframe>), but you cannot inspect their contents via JavaScript.

Try it

Play the **Border Guard Sandbox**. Try dragging different actions across origins and watch the guard allow writes and embeds, but slam the shutter on reads!

The SOP Border Checkpoint

Your Bank

https://bank.com
Mailbox
Vault
BLOCKED
Browser Security

Evil Hacker Site

https://hacker.com

Check yourself

Pick an answer to lock it in, then read why. Getting one wrong is part of how it sticks.

  1. 1Which of the following URLs has the same origin as http://store.company.com/dir/page.html?
  2. 2Which cross-origin action is generally *allowed* by the Same-Origin Policy by default?
  3. 3What is the primary purpose of the Same-Origin Policy?

Remember this

  • Origin = Protocol + Host + Port.
  • SOP blocks reads, but generally allows writes and embeds.
  • SOP protects the user's browser, not the back-end server.

Done with this concept?

Mark it complete to track your progress. No login needed.