Explain the same-origin policy with regards to JavaScript
TL;DR
The same-origin policy is a security measure implemented in web browsers to prevent malicious scripts on one page from accessing data on another page. It ensures that web pages can only make requests to the same origin, where the origin is defined by the combination of the protocol, domain, and port. For example, a script from http://example.com
cannot access data from http://anotherdomain.com
.
What is the same-origin policy?
The same-origin policy is a critical security concept for web applications. It restricts how documents or scripts loaded from one origin can interact with resources from another origin. This policy helps to prevent malicious activities such as cross-site scripting (XSS) and cross-site request forgery (CSRF).
Definition of origin
An origin is defined by the scheme (protocol), host (domain), and port of a URL. For example, the origin of http://example.com:80/page
is:
- Scheme:
http
- Host:
example.com
- Port:
80
Two URLs have the same origin if and only if all three components (scheme, host, and port) are identical.
How it works
When a web page makes a request to another URL, the browser checks if the request is to the same origin. If the request is to a different origin, the browser blocks the request unless the server explicitly allows it using mechanisms like Cross-Origin Resource Sharing (CORS).
Example
Consider the following example:
http://example.com/page1
can accesshttp://example.com/page2
because they share the same origin.http://example.com/page1
cannot accesshttp://anotherdomain.com/page
because they have different origins.
Exceptions
There are some exceptions to the same-origin policy, such as:
- Cross-Origin Resource Sharing (CORS): A mechanism that allows servers to specify who can access their resources.
- JSONP: A technique used to request data from a server residing in a different domain.
- WebSockets: A protocol that allows for full-duplex communication channels over a single TCP connection.
Code example
Here is a simple example demonstrating the same-origin policy: