Same-Origin Policy (SOP)

Same Origin Policy (SOP) is a security mechanism in web browsers which prevents a malicious website from attacking another website. This is important concept with regards to web application security modeling. A web server is hosting a website. User access the website using browser. There is a script running on this web page which gets deliver on the web browser. This script tries to connect to another web page. If web browser is compliant with Same Origin Policy, then it will look for uri scheme, hostname and port number of 2nd webpage. If it matches with 1st webpage, script will be allowed to run on 2nd webpage. Same Origin Policy provides protection against cross site scripting attacks. This is a website where user is logged-in using his web browser. The 1st website is running a malicious script which is trying to perform Cross Site Request Forgery Attack by exploiting the web browser session of authenticated user. This attempt will be blocked by Same Origin Policy since Bank Website domain is different than malicious website. In another case, malicious script is blocked because of different host and similarly for different port or different URI scheme (https). Same Origin Policy can cause browsers compatibility issue for large website with multiple domain and needs tailoring at browser.