Skip to main content

Who or what exactly does the "Same Origin Policy" aim to protect [Resolved]

As I understand the "Same Origin Policy" is a browser security feature that aims to protect the user. It prevents scripts to load data from another webserver (typicall with ajax).

So esentially there are 3 actors:

  • The User in the Browser
  • The Original Website
  • The "other origin" Web Resource

Does it protect the user ? No: With CORS I can just allow any Origin on a malicious "Other origin" Web Resource

Does it protect the original Website? No: With CORS I can just allow any Origin on a malicious "Other origin" Web Resource

Does it protect the "other origin" Web Resource? No: A browser with Same Origin Policy disabled or a crafted request can be used to get the request trough anyway

I cannot get my head around that. What is the situation where the SOP help and which of these 3 actors does it protect in this situation.


Question Credit: hefeteig
Question Reference
Asked July 20, 2019
Posted Under: Programming
28 views
2 Answers

I believe Same Origin Policy protects two things:

  • The website's cookies from being sent by a hacker. (e.g. hackersareus.com cannot send Stack Exchange a request with their cookies in it) This is a preflight request.
  • The website's public-facing pages from being scraped by a more scrupulous individual (e.g. stackdeck.com must use their server to scrape Stack Exchange - the browser won't do it for you) This is a non-preflighted, cookie-free request.

These two use cases are often confused with one another in my opinion.


credit: Jonathan Graef
Answered July 20, 2019
Your Answer
D:\Adnan\Candoerz\CandoProject\vQA