Same Origin Policy (RFC6454)

Same origin policy is meant to protect users from intermediate contents hijacking between web server and web users. This is done by the client side, ensuring that one website/client cannot access another's credential-restricted contents.

Definition of Origin

All request must have the same Uniformed Resources Identifier (URI) defined in RFC3986. Here are the examples:

Each of them has the same:

    1. scheme (http)
    2. hostname
    3. port number


These are not the same:

Managing Trusts

As a HTML page from the origin server states to load:

<script src="https://example.com/library.js"></script>

It means the origin trusts the source and execute the javascript.


Similarly:

   <form method="POST" action="https://example.com/login">
    ... <input type="password"> ...
   </form>

It means the origin is trusted to receive sensitive data.


To manage the trust, the client needs to ensure that any inflow or outflow of data MUST have the same URI except:

  • explicitly allowed origins
  • permitted default resource loadings

Permitted Cross Site Resources Loading

By default, an origin is allowed to perform cross origin resources loading for:

  • execute scripts
  • render images
  • apply stylesheets
  • display HTML contents in an HTML frame (e.g iframe)

Possible Vulnerabilities Introduction

If exception is set, it creates the following possible vulnerabilities:

  • cross-site request forgery (CSRF)

Create Exception

To create exception, the server will need to specify the allowed origin header, such as:

Access-Control-Allow-Origin: www.example.com

If to receive from any site, use asterisk instead:

Access-Control-Allow-Origin: *

Recommend Practices

  • Manage the trust of data flow, be it reading from external origin; or transmitting data to origin.
  • Restrict the number of media type per page content but be careful with content sniffing.
  • Ensure the resources remain from the same domains. Also, be clear with external origin.

That's all about same origin policy.