Introducing the Same-origin Policy Whitepaper
This blog post outlines the contents of our Same-origin Policy Whitepaper: The Definitive Guide to Same-origin Policy. It includes a discussion of SOP misconceptions and implementations. It is jointly by Alex Baker, an independent Security Researcher, together with Ziyahan Albeniz and Emre Iyidogan, two of Netsparker's Security Researchers.
Same-origin Policy (SOP) is a set of restrictions originally implemented by Netscape developers to help securely manage the relationships and connections between web resources such as HTML documents and other content, APIs and cookies. It enabled each resource to be defined by a string containing the protocol, URL and port used to locate it. Resources with the same origin would be able to access each other's contents.
SOP is used to counter hacks that have the same effect as one of the most prevalent web application vulnerabilities, cross-site scripting. Browers simply prevent users accessing and altering content that does not meet the same-origin rules (even though they enable web technologies that send and receive requests across various origins, they still provide a high level of security).
We have just published The Definitive Guide to Same-origin Policy. It discusses the following key topics:
- What would the development world look like, and how secure would it be, without the Same-origin Policy?
- A definition of Same-origin Policy, including common misconceptions
- How Same-origin Policy is implemented for different types of content, with some warnings concerning DOM Access and Web 2.0
- Cross-Origin Resources Sharing (CORS) in relation to simple and preflight requests, and cookies
- SOP for rich web applications
Finally, it ends with a concluding section on Next Generation Same-origin Policy looking beyond the loosely-defined concepts of Web 2.0 to the modern day context of HTML5 and Cross Domain Messaging.
This whitepaper has been authored by Ziyahan Albeniz Netsparker's own Security Researcher and translated by Emre Iyidogan and Alex Baker.