Security Testing Same Origin Policy

What is Same Origin Policy?

Same Origin Policy(SOP) is a primary concept in the web application security model. According to this policy, it allows scripts running on web pages emerging from the same site that can be a union of the below:

  • Domain
  • Protocol
  • Port


The reason for this behaviour is security. For instance, if you have in one window and in other window, then you DONOT need a script from to access or change the stuff of or run actions in context of gmail on your side.

Following are the webpages from the same origin policy. As illustrated before, the same origin accepts domain/protocol/port into consideration.


Following are webpages from a different origin.

  • domain)
  • (another domain)
  • (another protocol)
  • (another port)

Same Origin policy Exceptions for IE

Internet Explorer has two important exceptions to SOP.

  • The first one is related to 'Trusted Zones'. If both domains are in highly trusted zone then the Same Origin policy is not applicable completely.
  • The second exeption in IE is related to port. IE doesn't include port into Same Origin policy, hence the and are considered from the same origin and no restrictions are applied.