Same-Origin Policy (SOP)

The Same-Origin Policy (SOP) is a critical security mechanism implemented in web browsers to prevent malicious interactions between resources from different origins.

An origin is defined by the combination of a webpage's protocol, domain and port:

Origin:
http://example.com:443

http -> Scheme
example.com -> Hostname
443 -> Port

Example of a SOP violation:

SOP violation

Rules for interactions between different origins:

Origin 1
Origin 2
Same Origin

http://store.example.com/page.html

http://store.example.com/newpage.html

YES

http://store.example.com/page.html

http://news.example.com/page.html

NO

http://store.example.com:80/page.html

http://store.example.com:8080/page.html

NO

https://store.example.com:8443/page.html

ABOUT:BLANK

YES

https://storage.example.com/dir/page.html

https://storage.example.com/dir/subdir/page.html

YES

In the table, storage.example.com and about:blank are shown on the same origin.

About:blank has no origin and inherits the origin of the document that created it.

PreviousWeb BrowsersNextContent Security Policy (CSP)

Last updated

Was this helpful?