The Same Origin Policy (SOP) is a browser security policy enforced by a web browser that regulates the data flow between websites and web applications. It prevents webpages from being able to access the DOM of other webpages. The main goal is to avoid unauthorized cross-site access.
Origin comprises the protocol, the hostname (and the subdomain), and the port. It implies that a resource with the same protocol:hostname: port has to have the same origin. Let’s consider an example:
The policies are applied when there is an interaction between elements from different origins, such as:
The same-origin policy prevents others from reading user data through the use of cookies, etc. When an HTTP request is sent, any cookie associated with the session id is also sent.
The cookies contain authentication information as well. It produces an HTTP response specific to the user that may contain sensitive information. Therefore, even if you visit a malicious webpage, and they have iframes included that take data from Facebook, they will not be able to read your response and steal your personal information.
The SOP, however, allows exceptions when the act does not pose a security threat to the user, such as using iframe containing images, CSS, or script from another site. This is called cross-origin loading of pages.
Even though a page can load these external resources, the JavaScript cannot access the contents of them.
Free Resources