Same origin policy (SOP) is a security measure for client-side scripting that prevents a document or script loaded from one “origin” from getting or setting properties of a document from a different origin. With SOP, a browser should not trust content loaded from arbitrary websites. Web pages run, in SOP, within a “sandbox” and are prevented from accessing resources from other origins. Without this protection, a malicious web page may compromise the confidentiality or integrity of another web page.
The term “origin” is defined using the domain name, protocol, and port. Two pages belong to the same origin if these three values are the same. To illustrate, the following Table 1 gives examples of origin comparisons to the URL “http://www.example.com/dir/page.html”. The column labeled “Outcome” illustrates the result of SOP for a corresponding URL.
TABLE 1URLOutcomeReasonhttp://www.example.com/dir2/other.htmlSuccessSame protocoland hosthttp://www.example.com/dir/inner/other.htmlSuccessSame protocoland hosthttp://www.example.com:81/dir2/other.htmlFailureSame protocoland host butdifferent porthttps://www.example.com/dir2/other.htmlFailureDifferentprotocolhttp://en.example.com/dir2/other.htmlFailureDifferent hosthttp://example.com/dir2/other.htmlFailureDifferent host