Popular Searches

download information for Search Optimization  Search Optimization
download information for Search Engine  Search Engine
download information for Adsense  Adsense
download information for RSS  RSS
download information for Blog  Blog
download information for Compression  Compression
download information for Audio  Audio
download information for Video  Video
download information for XML  XML
download information for Screensaver  Screensaver
download information for CSS  CSS
download information for Backup  Backup
download information for Software  Software
download information for Spyware  Spyware



Tags

computing origin policy important security measure client scripting mostly javascript netscape navigator necessary coverage prevents document script loaded getting setting properties different access



Web Matches



A  B  C  D  E  F  G  H  I  J  K  L  M  N  O  P  Q  R  S  T  U  V  W  X  Y  Z

Search Articles e.g. mp4
 

Same origin policy

In computing, the same origin policy is an important security measure for client-side scripting (mostly JavaScript). The policy dates from Netscape Navigator 2.0, with necessary coverage fixes in Navigator 2.01 and Navigator 2.02. It prevents a document or script loaded from one "origin" from getting or setting properties of a document from a different "origin".

Access restriction

The philosophy of the same origin policy is simple: it is not safe to trust content loaded from any websites. As semi-trusted scripts are run within the sandbox, they should only be allowed to access resources from the same website, but not resources from other websites, which could be malicious.

The term "origin" is defined using the domain name, protocol and sometimes port*. Two pages belong to the same origin if and only if these three values are the same. To illustrate, the following table gives examples of origin comparisons to the URL "http://www.example.com/dir/page.html".

URLOutcomeReason
http://www.example.com/dir2/other.html

Success

Same protocol and host

http://www.example.com/dir/inner/other.html

Success

Same protocol and host

http://www.example.com:81/dir2/other.html

Failure*

Same protocol and host but different port

https://www.example.com/dir2/other.html

Failure

Different protocol

http://en.example.com/dir2/other.html

Failure

Different host

http://example.com/dir2/other.html

Failure

Different host


(*) Note: Internet Explorer ignores the port when calculating SOP equality.

By using relative URLs and limiting the use to URLs in the same origin, this restriction can be easily avoided.

Overcoming access restriction

It is possible to "overcome" this restriction by signing the script. However, in practice signed script is rarely used. This is mainly because Internet Explorer does not support signed scripts, and not everyone can afford a widely recognised digital signature, particularly not casual web developers. Also, even if the script is signed, a prompt window would appear whenever the script required access to extended privileges. This is another security measure as signed script is by no means a trustable script: it is trusted that the script comes from that origin, but it is still unknown what the script really does.

The same-origin policy does not apply to HTML files run from the local filesystem. This makes it possible for a locally-run HTML file to, for instance, perform any given HTTP request. The information here and here explain some of the potential problems, however applications such as TiddlyWiki use this ability to save changes locally and simplify the XMLHttpRequest process.

Its also possible to implement a proxy script on the server.

JSON

While it is not possible to directly query websites for data due to the same origin policy, the