Are you an Employer?
List of Topics

Security Testing Same Origin Policy

Security Testing Same Origin Policy

What is Same Origin Policy?

Same Origin Policy(SOP) is a primary concept in the web application security model. According to this policy, it allows scripts running on web pages emerging from the same site that can be a union of the below:

  • Domain
  • Protocol
  • Port


The reason for this behaviour is security. For instance, if you have try.com in one window and gmail.com in other window, then you DONOT need a script from try.com to access or change the stuff of gmail.com or run actions in context of gmail on your side.

Following are the webpages from the same origin policy. As illustrated before, the same origin accepts domain/protocol/port into consideration.

  • http://website.com
  • http://website.com/
  • http://website.com/my/contact.html

Following are webpages from a different origin.

  • http://www.site.co.uk(another domain)
  • http://site.org (another domain)
  • https://site.com (another protocol)
  • http://site.com:8080 (another port)

Same Origin policy Exceptions for IE

Internet Explorer has two important exceptions to SOP.

  • The first one is related to 'Trusted Zones'. If both domains are in highly trusted zone then the Same Origin policy is not applicable completely.
  • The second exeption in IE is related to port. IE doesn't include port into Same Origin policy, hence the http://website.com and http://wesite.com:4444 are considered from the same origin and no restrictions are applied.