3

I am trying to understand what use cases exist for the use of Same Origin Policy (SOP).

SOP prevents a document or script loaded from one origin to interact with a resource from another origin.

But in what scenarios is this really used? From this answer, if I include scripts from different websites in my webpage, the scripts won't be subject to SOP as they belong to my website's origin. If they try to include other scripts, then those scripts will be subject to SOP (won't be able to access my page's resources: DOM, cookies etc.).

SOP is also used to prevent cross-domain AJAX requests.

Other than the above, is there any other scenario where SOP is applicable ?

Improve this question
3
  • 2
    generally speaking, SOP is used to limit/regulate the communication between tabs, popups and iframes. But what is your question ?
    – c69
    CommentedFeb 9, 2015 at 0:00
  • I'm just trying to get a sense where all SOP is used. Like script inclusions are not subject to SOP
    – Jake
    CommentedFeb 9, 2015 at 0:09
  • well.. if MDN does not provide enough info for you - try big G: code.google.com/p/browsersec/wiki/Part2#Same-origin_policy
    – c69
    CommentedFeb 9, 2015 at 0:22

1 Answer 1

Reset to default
5

But in what scenarios is this really used ?

Everywhere. Otherwise if you visited my website example.com I would be able to read your Gmail if you were logged in at the time from the same browser.

the scripts won't be subject to SOP as they belong to my website's origin.

Correct: They won't be subject to any restrictions by the SOP.

If they try to include other scripts, then those scripts will be subject to SOP (won't be able to access my page's resources: DOM, cookies etc.).

Not true. If those scripts include other scripts (e.g. a document.write of a script tag - <script src="https://example.edu/foo.js"></script>) then those scripts will be under your website's origin too. If you include another domain's scripts under your own site, then you are giving full access to your origin to that domain.

SOP is also used to prevent cross-domain AJAX requests.

Not true. The SOP does not stop a cross-domain AJAX request from being made - it simply stops it from being read.

Other than the above, is there any other scenario where SOP is applicable ?

Yes, for example the SOP prevents frames, IFrames and windows from cross communicating across domains. Check out MDN for a full explanation of the SOP.

Improve this answer

    You must log in to answer this question.

    Start asking to get answers

    Find the answer to your question by asking.

    Ask question

    Explore related questions

    See similar questions with these tags.