Bug Bounty Hub
  • πŸš€WELCOME
    • Bug Bounty Hub
    • BBH - Values
    • About the author
  • πŸ•ΈοΈPENTESTING WEB
    • Information Gathering
      • Enumerating ASN and IP blocks
      • Reverse IP Lookup
      • Scanning Open Ports/Services
      • Subdomain Enumeration
        • Active Subdomain Enumeration
        • Passive Subdomain Enumeration
        • Subdomain Permutations
        • Check Alive Subdomains
      • Subdomain Takeover
      • Fuzzing
      • JavaScript Files
      • Endpoints
      • Input Parameters
      • Mapping Attack Surface - Crawling/Spider
      • Fingerprinting
      • Potential Vulnerabilities - Nuclei
    • Client-Side Injection Attacks
    • Server-Side Vulnerabilities
      • Path Traversal/File Inclusion
      • Access Control
      • Authentication
      • Server-side Request Forgery (SSRF)
      • File upload vulnerabilities
      • OS Command Injection
      • SQL Injection
        • MySQL Injection
        • SQLi with SQLMap
    • Authentication
    • Insecure Direct Object Reference (IDOR)
    • Cross-Site Request Forgery Attacks
    • Business Logic Flaws
    • HTTP Verb Tampering
    • Bypass 401 & 403
    • Evading WAFs
    • Reporting
  • 🐣THE BASICS OF WEB
    • HTTP Methods
    • HTTP Response Codes
    • HTTP Headers
      • AWS S3 Buckets Headers
    • HTTP Cookies
    • Encoding
      • URL encoding
      • HTML encoding
      • Base 64 encoding
      • Unicode encoding
    • Web Browsers
      • Same-Origin Policy (SOP)
      • Content Security Policy (CSP)
      • Subresource Integrity Check (SIC)
    • Web Proxies
  • πŸ“šRESOURCES
    • Books
    • Web resources
    • CTF Platforms
  • πŸ”οΈBug Bounty Platforms
Powered by GitBook
On this page

Was this helpful?

  1. THE BASICS OF WEB
  2. Web Browsers

Same-Origin Policy (SOP)

PreviousWeb BrowsersNextContent Security Policy (CSP)

Last updated 6 months ago

Was this helpful?

The Same-Origin Policy (SOP) is a critical security mechanism implemented in web browsers to prevent malicious interactions between resources from different origins.

An origin is defined by the combination of a webpage's protocol, domain and port:

Origin:
http://example.com:443

http -> Scheme
example.com -> Hostname
443 -> Port

Example of a SOP violation:

Rules for interactions between different origins:

Origin 1
Origin 2
Same Origin

http://store.example.com/page.html

http://store.example.com/newpage.html

YES

http://store.example.com/page.html

http://news.example.com/page.html

NO

http://store.example.com:80/page.html

http://store.example.com:8080/page.html

NO

https://store.example.com:8443/page.html

ABOUT:BLANK

YES

https://storage.example.com/dir/page.html

https://storage.example.com/dir/subdir/page.html

YES

In the table, storage.example.com and about:blank are shown on the same origin.

About:blank has no origin and inherits the origin of the document that created it.

🐣
SOP violation