CINXE.COM
Same-origin policy - Wikipedia
<!DOCTYPE html> <html class="client-nojs vector-feature-language-in-header-enabled vector-feature-language-in-main-page-header-disabled vector-feature-sticky-header-disabled vector-feature-page-tools-pinned-disabled vector-feature-toc-pinned-clientpref-1 vector-feature-main-menu-pinned-disabled vector-feature-limited-width-clientpref-1 vector-feature-limited-width-content-enabled vector-feature-custom-font-size-clientpref-1 vector-feature-appearance-pinned-clientpref-1 vector-feature-night-mode-enabled skin-theme-clientpref-day vector-toc-available" lang="en" dir="ltr"> <head> <meta charset="UTF-8"> <title>Same-origin policy - Wikipedia</title> <script>(function(){var className="client-js vector-feature-language-in-header-enabled vector-feature-language-in-main-page-header-disabled vector-feature-sticky-header-disabled vector-feature-page-tools-pinned-disabled vector-feature-toc-pinned-clientpref-1 vector-feature-main-menu-pinned-disabled vector-feature-limited-width-clientpref-1 vector-feature-limited-width-content-enabled vector-feature-custom-font-size-clientpref-1 vector-feature-appearance-pinned-clientpref-1 vector-feature-night-mode-enabled skin-theme-clientpref-day vector-toc-available";var cookie=document.cookie.match(/(?:^|; )enwikimwclientpreferences=([^;]+)/);if(cookie){cookie[1].split('%2C').forEach(function(pref){className=className.replace(new RegExp('(^| )'+pref.replace(/-clientpref-\w+$|[^\w-]+/g,'')+'-clientpref-\\w+( |$)'),'$1'+pref+'$2');});}document.documentElement.className=className;}());RLCONF={"wgBreakFrames":false,"wgSeparatorTransformTable":["",""],"wgDigitTransformTable":["",""],"wgDefaultDateFormat":"dmy", "wgMonthNames":["","January","February","March","April","May","June","July","August","September","October","November","December"],"wgRequestId":"bd81646f-4b84-4e0b-97de-dc223c964e0c","wgCanonicalNamespace":"","wgCanonicalSpecialPageName":false,"wgNamespaceNumber":0,"wgPageName":"Same-origin_policy","wgTitle":"Same-origin policy","wgCurRevisionId":1258032465,"wgRevisionId":1258032465,"wgArticleId":1883276,"wgIsArticle":true,"wgIsRedirect":false,"wgAction":"view","wgUserName":null,"wgUserGroups":["*"],"wgCategories":["CS1 maint: url-status","Articles with short description","Short description is different from Wikidata","Webarchive template wayback links","Computer network security","Computer security procedures","Computer security standards","Hypertext Transfer Protocol headers","Web applications"],"wgPageViewLanguage":"en","wgPageContentLanguage":"en","wgPageContentModel":"wikitext","wgRelevantPageName":"Same-origin_policy","wgRelevantArticleId":1883276,"wgIsProbablyEditable":true, "wgRelevantPageIsProbablyEditable":true,"wgRestrictionEdit":[],"wgRestrictionMove":[],"wgNoticeProject":"wikipedia","wgCiteReferencePreviewsActive":false,"wgFlaggedRevsParams":{"tags":{"status":{"levels":1}}},"wgMediaViewerOnClick":true,"wgMediaViewerEnabledByDefault":true,"wgPopupsFlags":0,"wgVisualEditor":{"pageLanguageCode":"en","pageLanguageDir":"ltr","pageVariantFallbacks":"en"},"wgMFDisplayWikibaseDescriptions":{"search":true,"watchlist":true,"tagline":false,"nearby":true},"wgWMESchemaEditAttemptStepOversample":false,"wgWMEPageLength":20000,"wgRelatedArticlesCompat":[],"wgCentralAuthMobileDomain":false,"wgEditSubmitButtonLabelPublish":true,"wgULSPosition":"interlanguage","wgULSisCompactLinksEnabled":false,"wgVector2022LanguageInHeader":true,"wgULSisLanguageSelectorEmpty":false,"wgWikibaseItemId":"Q2031810","wgCheckUserClientHintsHeadersJsApi":["brands","architecture","bitness","fullVersionList","mobile","model","platform","platformVersion"],"GEHomepageSuggestedEditsEnableTopics": true,"wgGETopicsMatchModeEnabled":false,"wgGEStructuredTaskRejectionReasonTextInputEnabled":false,"wgGELevelingUpEnabledForUser":false};RLSTATE={"ext.globalCssJs.user.styles":"ready","site.styles":"ready","user.styles":"ready","ext.globalCssJs.user":"ready","user":"ready","user.options":"loading","ext.cite.styles":"ready","skins.vector.search.codex.styles":"ready","skins.vector.styles":"ready","skins.vector.icons":"ready","jquery.tablesorter.styles":"ready","jquery.makeCollapsible.styles":"ready","ext.wikimediamessages.styles":"ready","ext.visualEditor.desktopArticleTarget.noscript":"ready","ext.uls.interlanguage":"ready","wikibase.client.init":"ready","ext.wikimediaBadges":"ready"};RLPAGEMODULES=["ext.cite.ux-enhancements","site","mediawiki.page.ready","jquery.tablesorter","jquery.makeCollapsible","mediawiki.toc","skins.vector.js","ext.centralNotice.geoIP","ext.centralNotice.startUp","ext.gadget.ReferenceTooltips","ext.gadget.switcher","ext.urlShortener.toolbar", "ext.centralauth.centralautologin","ext.popups","ext.visualEditor.desktopArticleTarget.init","ext.visualEditor.targetLoader","ext.echo.centralauth","ext.eventLogging","ext.wikimediaEvents","ext.navigationTiming","ext.uls.interface","ext.cx.eventlogging.campaigns","ext.cx.uls.quick.actions","wikibase.client.vector-2022","ext.checkUser.clientHints","ext.growthExperiments.SuggestedEditSession","wikibase.sidebar.tracking"];</script> <script>(RLQ=window.RLQ||[]).push(function(){mw.loader.impl(function(){return["user.options@12s5i",function($,jQuery,require,module){mw.user.tokens.set({"patrolToken":"+\\","watchToken":"+\\","csrfToken":"+\\"}); }];});});</script> <link rel="stylesheet" href="/w/load.php?lang=en&modules=ext.cite.styles%7Cext.uls.interlanguage%7Cext.visualEditor.desktopArticleTarget.noscript%7Cext.wikimediaBadges%7Cext.wikimediamessages.styles%7Cjquery.makeCollapsible.styles%7Cjquery.tablesorter.styles%7Cskins.vector.icons%2Cstyles%7Cskins.vector.search.codex.styles%7Cwikibase.client.init&only=styles&skin=vector-2022"> <script async="" src="/w/load.php?lang=en&modules=startup&only=scripts&raw=1&skin=vector-2022"></script> <meta name="ResourceLoaderDynamicStyles" content=""> <link rel="stylesheet" href="/w/load.php?lang=en&modules=site.styles&only=styles&skin=vector-2022"> <meta name="generator" content="MediaWiki 1.44.0-wmf.4"> <meta name="referrer" content="origin"> <meta name="referrer" content="origin-when-cross-origin"> <meta name="robots" content="max-image-preview:standard"> <meta name="format-detection" content="telephone=no"> <meta name="viewport" content="width=1120"> <meta property="og:title" content="Same-origin policy - Wikipedia"> <meta property="og:type" content="website"> <link rel="alternate" media="only screen and (max-width: 640px)" href="//en.m.wikipedia.org/wiki/Same-origin_policy"> <link rel="alternate" type="application/x-wiki" title="Edit this page" href="/w/index.php?title=Same-origin_policy&action=edit"> <link rel="apple-touch-icon" href="/static/apple-touch/wikipedia.png"> <link rel="icon" href="/static/favicon/wikipedia.ico"> <link rel="search" type="application/opensearchdescription+xml" href="/w/rest.php/v1/search" title="Wikipedia (en)"> <link rel="EditURI" type="application/rsd+xml" href="//en.wikipedia.org/w/api.php?action=rsd"> <link rel="canonical" href="https://en.wikipedia.org/wiki/Same-origin_policy"> <link rel="license" href="https://creativecommons.org/licenses/by-sa/4.0/deed.en"> <link rel="alternate" type="application/atom+xml" title="Wikipedia Atom feed" href="/w/index.php?title=Special:RecentChanges&feed=atom"> <link rel="dns-prefetch" href="//meta.wikimedia.org" /> <link rel="dns-prefetch" href="//login.wikimedia.org"> </head> <body class="skin--responsive skin-vector skin-vector-search-vue mediawiki ltr sitedir-ltr mw-hide-empty-elt ns-0 ns-subject mw-editable page-Same-origin_policy rootpage-Same-origin_policy skin-vector-2022 action-view"><a class="mw-jump-link" href="#bodyContent">Jump to content</a> <div class="vector-header-container"> <header class="vector-header mw-header"> <div class="vector-header-start"> <nav class="vector-main-menu-landmark" aria-label="Site"> <div id="vector-main-menu-dropdown" class="vector-dropdown vector-main-menu-dropdown vector-button-flush-left vector-button-flush-right" > <input type="checkbox" id="vector-main-menu-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-main-menu-dropdown" class="vector-dropdown-checkbox " aria-label="Main menu" > <label id="vector-main-menu-dropdown-label" for="vector-main-menu-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only " aria-hidden="true" ><span class="vector-icon mw-ui-icon-menu mw-ui-icon-wikimedia-menu"></span> <span class="vector-dropdown-label-text">Main menu</span> </label> <div class="vector-dropdown-content"> <div id="vector-main-menu-unpinned-container" class="vector-unpinned-container"> <div id="vector-main-menu" class="vector-main-menu vector-pinnable-element"> <div class="vector-pinnable-header vector-main-menu-pinnable-header vector-pinnable-header-unpinned" data-feature-name="main-menu-pinned" data-pinnable-element-id="vector-main-menu" data-pinned-container-id="vector-main-menu-pinned-container" data-unpinned-container-id="vector-main-menu-unpinned-container" > <div class="vector-pinnable-header-label">Main menu</div> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-pin-button" data-event-name="pinnable-header.vector-main-menu.pin">move to sidebar</button> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-unpin-button" data-event-name="pinnable-header.vector-main-menu.unpin">hide</button> </div> <div id="p-navigation" class="vector-menu mw-portlet mw-portlet-navigation" > <div class="vector-menu-heading"> Navigation </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="n-mainpage-description" class="mw-list-item"><a href="/wiki/Main_Page" title="Visit the main page [z]" accesskey="z"><span>Main page</span></a></li><li id="n-contents" class="mw-list-item"><a href="/wiki/Wikipedia:Contents" title="Guides to browsing Wikipedia"><span>Contents</span></a></li><li id="n-currentevents" class="mw-list-item"><a href="/wiki/Portal:Current_events" title="Articles related to current events"><span>Current events</span></a></li><li id="n-randompage" class="mw-list-item"><a href="/wiki/Special:Random" title="Visit a randomly selected article [x]" accesskey="x"><span>Random article</span></a></li><li id="n-aboutsite" class="mw-list-item"><a href="/wiki/Wikipedia:About" title="Learn about Wikipedia and how it works"><span>About Wikipedia</span></a></li><li id="n-contactpage" class="mw-list-item"><a href="//en.wikipedia.org/wiki/Wikipedia:Contact_us" title="How to contact Wikipedia"><span>Contact us</span></a></li> </ul> </div> </div> <div id="p-interaction" class="vector-menu mw-portlet mw-portlet-interaction" > <div class="vector-menu-heading"> Contribute </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="n-help" class="mw-list-item"><a href="/wiki/Help:Contents" title="Guidance on how to use and edit Wikipedia"><span>Help</span></a></li><li id="n-introduction" class="mw-list-item"><a href="/wiki/Help:Introduction" title="Learn how to edit Wikipedia"><span>Learn to edit</span></a></li><li id="n-portal" class="mw-list-item"><a href="/wiki/Wikipedia:Community_portal" title="The hub for editors"><span>Community portal</span></a></li><li id="n-recentchanges" class="mw-list-item"><a href="/wiki/Special:RecentChanges" title="A list of recent changes to Wikipedia [r]" accesskey="r"><span>Recent changes</span></a></li><li id="n-upload" class="mw-list-item"><a href="/wiki/Wikipedia:File_upload_wizard" title="Add images or other media for use on Wikipedia"><span>Upload file</span></a></li> </ul> </div> </div> </div> </div> </div> </div> </nav> <a href="/wiki/Main_Page" class="mw-logo"> <img class="mw-logo-icon" src="/static/images/icons/wikipedia.png" alt="" aria-hidden="true" height="50" width="50"> <span class="mw-logo-container skin-invert"> <img class="mw-logo-wordmark" alt="Wikipedia" src="/static/images/mobile/copyright/wikipedia-wordmark-en.svg" style="width: 7.5em; height: 1.125em;"> <img class="mw-logo-tagline" alt="The Free Encyclopedia" src="/static/images/mobile/copyright/wikipedia-tagline-en.svg" width="117" height="13" style="width: 7.3125em; height: 0.8125em;"> </span> </a> </div> <div class="vector-header-end"> <div id="p-search" role="search" class="vector-search-box-vue vector-search-box-collapses vector-search-box-show-thumbnail vector-search-box-auto-expand-width vector-search-box"> <a href="/wiki/Special:Search" class="cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only search-toggle" title="Search Wikipedia [f]" accesskey="f"><span class="vector-icon mw-ui-icon-search mw-ui-icon-wikimedia-search"></span> <span>Search</span> </a> <div class="vector-typeahead-search-container"> <div class="cdx-typeahead-search cdx-typeahead-search--show-thumbnail cdx-typeahead-search--auto-expand-width"> <form action="/w/index.php" id="searchform" class="cdx-search-input cdx-search-input--has-end-button"> <div id="simpleSearch" class="cdx-search-input__input-wrapper" data-search-loc="header-moved"> <div class="cdx-text-input cdx-text-input--has-start-icon"> <input class="cdx-text-input__input" type="search" name="search" placeholder="Search Wikipedia" aria-label="Search Wikipedia" autocapitalize="sentences" title="Search Wikipedia [f]" accesskey="f" id="searchInput" > <span class="cdx-text-input__icon cdx-text-input__start-icon"></span> </div> <input type="hidden" name="title" value="Special:Search"> </div> <button class="cdx-button cdx-search-input__end-button">Search</button> </form> </div> </div> </div> <nav class="vector-user-links vector-user-links-wide" aria-label="Personal tools"> <div class="vector-user-links-main"> <div id="p-vector-user-menu-preferences" class="vector-menu mw-portlet emptyPortlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> </ul> </div> </div> <div id="p-vector-user-menu-userpage" class="vector-menu mw-portlet emptyPortlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> </ul> </div> </div> <nav class="vector-appearance-landmark" aria-label="Appearance"> <div id="vector-appearance-dropdown" class="vector-dropdown " title="Change the appearance of the page's font size, width, and color" > <input type="checkbox" id="vector-appearance-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-appearance-dropdown" class="vector-dropdown-checkbox " aria-label="Appearance" > <label id="vector-appearance-dropdown-label" for="vector-appearance-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only " aria-hidden="true" ><span class="vector-icon mw-ui-icon-appearance mw-ui-icon-wikimedia-appearance"></span> <span class="vector-dropdown-label-text">Appearance</span> </label> <div class="vector-dropdown-content"> <div id="vector-appearance-unpinned-container" class="vector-unpinned-container"> </div> </div> </div> </nav> <div id="p-vector-user-menu-notifications" class="vector-menu mw-portlet emptyPortlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> </ul> </div> </div> <div id="p-vector-user-menu-overflow" class="vector-menu mw-portlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="pt-sitesupport-2" class="user-links-collapsible-item mw-list-item user-links-collapsible-item"><a data-mw="interface" href="https://donate.wikimedia.org/wiki/Special:FundraiserRedirector?utm_source=donate&utm_medium=sidebar&utm_campaign=C13_en.wikipedia.org&uselang=en" class=""><span>Donate</span></a> </li> <li id="pt-createaccount-2" class="user-links-collapsible-item mw-list-item user-links-collapsible-item"><a data-mw="interface" href="/w/index.php?title=Special:CreateAccount&returnto=Same-origin+policy" title="You are encouraged to create an account and log in; however, it is not mandatory" class=""><span>Create account</span></a> </li> <li id="pt-login-2" class="user-links-collapsible-item mw-list-item user-links-collapsible-item"><a data-mw="interface" href="/w/index.php?title=Special:UserLogin&returnto=Same-origin+policy" title="You're encouraged to log in; however, it's not mandatory. [o]" accesskey="o" class=""><span>Log in</span></a> </li> </ul> </div> </div> </div> <div id="vector-user-links-dropdown" class="vector-dropdown vector-user-menu vector-button-flush-right vector-user-menu-logged-out" title="Log in and more options" > <input type="checkbox" id="vector-user-links-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-user-links-dropdown" class="vector-dropdown-checkbox " aria-label="Personal tools" > <label id="vector-user-links-dropdown-label" for="vector-user-links-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only " aria-hidden="true" ><span class="vector-icon mw-ui-icon-ellipsis mw-ui-icon-wikimedia-ellipsis"></span> <span class="vector-dropdown-label-text">Personal tools</span> </label> <div class="vector-dropdown-content"> <div id="p-personal" class="vector-menu mw-portlet mw-portlet-personal user-links-collapsible-item" title="User menu" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="pt-sitesupport" class="user-links-collapsible-item mw-list-item"><a href="https://donate.wikimedia.org/wiki/Special:FundraiserRedirector?utm_source=donate&utm_medium=sidebar&utm_campaign=C13_en.wikipedia.org&uselang=en"><span>Donate</span></a></li><li id="pt-createaccount" class="user-links-collapsible-item mw-list-item"><a href="/w/index.php?title=Special:CreateAccount&returnto=Same-origin+policy" title="You are encouraged to create an account and log in; however, it is not mandatory"><span class="vector-icon mw-ui-icon-userAdd mw-ui-icon-wikimedia-userAdd"></span> <span>Create account</span></a></li><li id="pt-login" class="user-links-collapsible-item mw-list-item"><a href="/w/index.php?title=Special:UserLogin&returnto=Same-origin+policy" title="You're encouraged to log in; however, it's not mandatory. [o]" accesskey="o"><span class="vector-icon mw-ui-icon-logIn mw-ui-icon-wikimedia-logIn"></span> <span>Log in</span></a></li> </ul> </div> </div> <div id="p-user-menu-anon-editor" class="vector-menu mw-portlet mw-portlet-user-menu-anon-editor" > <div class="vector-menu-heading"> Pages for logged out editors <a href="/wiki/Help:Introduction" aria-label="Learn more about editing"><span>learn more</span></a> </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="pt-anoncontribs" class="mw-list-item"><a href="/wiki/Special:MyContributions" title="A list of edits made from this IP address [y]" accesskey="y"><span>Contributions</span></a></li><li id="pt-anontalk" class="mw-list-item"><a href="/wiki/Special:MyTalk" title="Discussion about edits from this IP address [n]" accesskey="n"><span>Talk</span></a></li> </ul> </div> </div> </div> </div> </nav> </div> </header> </div> <div class="mw-page-container"> <div class="mw-page-container-inner"> <div class="vector-sitenotice-container"> <div id="siteNotice"><!-- CentralNotice --></div> </div> <div class="vector-column-start"> <div class="vector-main-menu-container"> <div id="mw-navigation"> <nav id="mw-panel" class="vector-main-menu-landmark" aria-label="Site"> <div id="vector-main-menu-pinned-container" class="vector-pinned-container"> </div> </nav> </div> </div> <div class="vector-sticky-pinned-container"> <nav id="mw-panel-toc" aria-label="Contents" data-event-name="ui.sidebar-toc" class="mw-table-of-contents-container vector-toc-landmark"> <div id="vector-toc-pinned-container" class="vector-pinned-container"> <div id="vector-toc" class="vector-toc vector-pinnable-element"> <div class="vector-pinnable-header vector-toc-pinnable-header vector-pinnable-header-pinned" data-feature-name="toc-pinned" data-pinnable-element-id="vector-toc" > <h2 class="vector-pinnable-header-label">Contents</h2> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-pin-button" data-event-name="pinnable-header.vector-toc.pin">move to sidebar</button> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-unpin-button" data-event-name="pinnable-header.vector-toc.unpin">hide</button> </div> <ul class="vector-toc-contents" id="mw-panel-toc-list"> <li id="toc-mw-content-text" class="vector-toc-list-item vector-toc-level-1"> <a href="#" class="vector-toc-link"> <div class="vector-toc-text">(Top)</div> </a> </li> <li id="toc-History" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#History"> <div class="vector-toc-text"> <span class="vector-toc-numb">1</span> <span>History</span> </div> </a> <ul id="toc-History-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Implementation" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#Implementation"> <div class="vector-toc-text"> <span class="vector-toc-numb">2</span> <span>Implementation</span> </div> </a> <ul id="toc-Implementation-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Origin_determination_rules" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#Origin_determination_rules"> <div class="vector-toc-text"> <span class="vector-toc-numb">3</span> <span>Origin determination rules</span> </div> </a> <ul id="toc-Origin_determination_rules-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Read_access_to_sensitive_cross-origin_responses_via_reusable_authentication" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#Read_access_to_sensitive_cross-origin_responses_via_reusable_authentication"> <div class="vector-toc-text"> <span class="vector-toc-numb">4</span> <span>Read access to sensitive cross-origin responses via reusable authentication</span> </div> </a> <ul id="toc-Read_access_to_sensitive_cross-origin_responses_via_reusable_authentication-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Relaxing_the_same-origin_policy" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#Relaxing_the_same-origin_policy"> <div class="vector-toc-text"> <span class="vector-toc-numb">5</span> <span>Relaxing the same-origin policy</span> </div> </a> <button aria-controls="toc-Relaxing_the_same-origin_policy-sublist" class="cdx-button cdx-button--weight-quiet cdx-button--icon-only vector-toc-toggle"> <span class="vector-icon mw-ui-icon-wikimedia-expand"></span> <span>Toggle Relaxing the same-origin policy subsection</span> </button> <ul id="toc-Relaxing_the_same-origin_policy-sublist" class="vector-toc-list"> <li id="toc-Data_tainting" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Data_tainting"> <div class="vector-toc-text"> <span class="vector-toc-numb">5.1</span> <span>Data tainting</span> </div> </a> <ul id="toc-Data_tainting-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-document.domain_property" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#document.domain_property"> <div class="vector-toc-text"> <span class="vector-toc-numb">5.2</span> <span>document.domain property</span> </div> </a> <ul id="toc-document.domain_property-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Cross-Origin_Resource_Sharing" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Cross-Origin_Resource_Sharing"> <div class="vector-toc-text"> <span class="vector-toc-numb">5.3</span> <span>Cross-Origin Resource Sharing</span> </div> </a> <ul id="toc-Cross-Origin_Resource_Sharing-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Cross-document_messaging" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Cross-document_messaging"> <div class="vector-toc-text"> <span class="vector-toc-numb">5.4</span> <span>Cross-document messaging</span> </div> </a> <ul id="toc-Cross-document_messaging-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-JSONP" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#JSONP"> <div class="vector-toc-text"> <span class="vector-toc-numb">5.5</span> <span>JSONP</span> </div> </a> <ul id="toc-JSONP-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-WebSockets" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#WebSockets"> <div class="vector-toc-text"> <span class="vector-toc-numb">5.6</span> <span>WebSockets</span> </div> </a> <ul id="toc-WebSockets-sublist" class="vector-toc-list"> </ul> </li> </ul> </li> <li id="toc-Corner_cases" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#Corner_cases"> <div class="vector-toc-text"> <span class="vector-toc-numb">6</span> <span>Corner cases</span> </div> </a> <ul id="toc-Corner_cases-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Attacks" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#Attacks"> <div class="vector-toc-text"> <span class="vector-toc-numb">7</span> <span>Attacks</span> </div> </a> <button aria-controls="toc-Attacks-sublist" class="cdx-button cdx-button--weight-quiet cdx-button--icon-only vector-toc-toggle"> <span class="vector-icon mw-ui-icon-wikimedia-expand"></span> <span>Toggle Attacks subsection</span> </button> <ul id="toc-Attacks-sublist" class="vector-toc-list"> <li id="toc-Reading_Information" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Reading_Information"> <div class="vector-toc-text"> <span class="vector-toc-numb">7.1</span> <span>Reading Information</span> </div> </a> <ul id="toc-Reading_Information-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Writing_Information_(CSRF)" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Writing_Information_(CSRF)"> <div class="vector-toc-text"> <span class="vector-toc-numb">7.2</span> <span>Writing Information (CSRF)</span> </div> </a> <ul id="toc-Writing_Information_(CSRF)-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Leaking_or_Writing_Information_via_Cookies" class="vector-toc-list-item vector-toc-level-2"> <a class="vector-toc-link" href="#Leaking_or_Writing_Information_via_Cookies"> <div class="vector-toc-text"> <span class="vector-toc-numb">7.3</span> <span>Leaking or Writing Information via Cookies</span> </div> </a> <ul id="toc-Leaking_or_Writing_Information_via_Cookies-sublist" class="vector-toc-list"> </ul> </li> </ul> </li> <li id="toc-See_also" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#See_also"> <div class="vector-toc-text"> <span class="vector-toc-numb">8</span> <span>See also</span> </div> </a> <ul id="toc-See_also-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-Further_reading" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#Further_reading"> <div class="vector-toc-text"> <span class="vector-toc-numb">9</span> <span>Further reading</span> </div> </a> <ul id="toc-Further_reading-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-References" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#References"> <div class="vector-toc-text"> <span class="vector-toc-numb">10</span> <span>References</span> </div> </a> <ul id="toc-References-sublist" class="vector-toc-list"> </ul> </li> <li id="toc-External_links" class="vector-toc-list-item vector-toc-level-1 vector-toc-list-item-expanded"> <a class="vector-toc-link" href="#External_links"> <div class="vector-toc-text"> <span class="vector-toc-numb">11</span> <span>External links</span> </div> </a> <ul id="toc-External_links-sublist" class="vector-toc-list"> </ul> </li> </ul> </div> </div> </nav> </div> </div> <div class="mw-content-container"> <main id="content" class="mw-body"> <header class="mw-body-header vector-page-titlebar"> <nav aria-label="Contents" class="vector-toc-landmark"> <div id="vector-page-titlebar-toc" class="vector-dropdown vector-page-titlebar-toc vector-button-flush-left" > <input type="checkbox" id="vector-page-titlebar-toc-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-page-titlebar-toc" class="vector-dropdown-checkbox " aria-label="Toggle the table of contents" > <label id="vector-page-titlebar-toc-label" for="vector-page-titlebar-toc-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--icon-only " aria-hidden="true" ><span class="vector-icon mw-ui-icon-listBullet mw-ui-icon-wikimedia-listBullet"></span> <span class="vector-dropdown-label-text">Toggle the table of contents</span> </label> <div class="vector-dropdown-content"> <div id="vector-page-titlebar-toc-unpinned-container" class="vector-unpinned-container"> </div> </div> </div> </nav> <h1 id="firstHeading" class="firstHeading mw-first-heading"><span class="mw-page-title-main">Same-origin policy</span></h1> <div id="p-lang-btn" class="vector-dropdown mw-portlet mw-portlet-lang" > <input type="checkbox" id="p-lang-btn-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-p-lang-btn" class="vector-dropdown-checkbox mw-interlanguage-selector" aria-label="Go to an article in another language. Available in 15 languages" > <label id="p-lang-btn-label" for="p-lang-btn-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet cdx-button--action-progressive mw-portlet-lang-heading-15" aria-hidden="true" ><span class="vector-icon mw-ui-icon-language-progressive mw-ui-icon-wikimedia-language-progressive"></span> <span class="vector-dropdown-label-text">15 languages</span> </label> <div class="vector-dropdown-content"> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li class="interlanguage-link interwiki-ar mw-list-item"><a href="https://ar.wikipedia.org/wiki/%D8%B3%D9%8A%D8%A7%D8%B3%D8%A9_%D8%A7%D9%84%D9%85%D8%B5%D8%AF%D8%B1_%D8%A7%D9%84%D8%A3%D9%88%D8%AD%D8%AF" title="سياسة المصدر الأوحد – Arabic" lang="ar" hreflang="ar" data-title="سياسة المصدر الأوحد" data-language-autonym="العربية" data-language-local-name="Arabic" class="interlanguage-link-target"><span>العربية</span></a></li><li class="interlanguage-link interwiki-de mw-list-item"><a href="https://de.wikipedia.org/wiki/Same-Origin-Policy" title="Same-Origin-Policy – German" lang="de" hreflang="de" data-title="Same-Origin-Policy" data-language-autonym="Deutsch" data-language-local-name="German" class="interlanguage-link-target"><span>Deutsch</span></a></li><li class="interlanguage-link interwiki-es mw-list-item"><a href="https://es.wikipedia.org/wiki/Pol%C3%ADtica_del_mismo_origen" title="Política del mismo origen – Spanish" lang="es" hreflang="es" data-title="Política del mismo origen" data-language-autonym="Español" data-language-local-name="Spanish" class="interlanguage-link-target"><span>Español</span></a></li><li class="interlanguage-link interwiki-fr mw-list-item"><a href="https://fr.wikipedia.org/wiki/Same-origin_policy" title="Same-origin policy – French" lang="fr" hreflang="fr" data-title="Same-origin policy" data-language-autonym="Français" data-language-local-name="French" class="interlanguage-link-target"><span>Français</span></a></li><li class="interlanguage-link interwiki-ko mw-list-item"><a href="https://ko.wikipedia.org/wiki/%EB%8F%99%EC%9D%BC-%EC%B6%9C%EC%B2%98_%EC%A0%95%EC%B1%85" title="동일-출처 정책 – Korean" lang="ko" hreflang="ko" data-title="동일-출처 정책" data-language-autonym="한국어" data-language-local-name="Korean" class="interlanguage-link-target"><span>한국어</span></a></li><li class="interlanguage-link interwiki-it mw-list-item"><a href="https://it.wikipedia.org/wiki/Same_origin_policy" title="Same origin policy – Italian" lang="it" hreflang="it" data-title="Same origin policy" data-language-autonym="Italiano" data-language-local-name="Italian" class="interlanguage-link-target"><span>Italiano</span></a></li><li class="interlanguage-link interwiki-lmo mw-list-item"><a href="https://lmo.wikipedia.org/wiki/Same_origin_policy" title="Same origin policy – Lombard" lang="lmo" hreflang="lmo" data-title="Same origin policy" data-language-autonym="Lombard" data-language-local-name="Lombard" class="interlanguage-link-target"><span>Lombard</span></a></li><li class="interlanguage-link interwiki-ja mw-list-item"><a href="https://ja.wikipedia.org/wiki/%E5%90%8C%E4%B8%80%E7%94%9F%E6%88%90%E5%85%83%E3%83%9D%E3%83%AA%E3%82%B7%E3%83%BC" title="同一生成元ポリシー – Japanese" lang="ja" hreflang="ja" data-title="同一生成元ポリシー" data-language-autonym="日本語" data-language-local-name="Japanese" class="interlanguage-link-target"><span>日本語</span></a></li><li class="interlanguage-link interwiki-pt mw-list-item"><a href="https://pt.wikipedia.org/wiki/Pol%C3%ADtica_de_mesma_origem" title="Política de mesma origem – Portuguese" lang="pt" hreflang="pt" data-title="Política de mesma origem" data-language-autonym="Português" data-language-local-name="Portuguese" class="interlanguage-link-target"><span>Português</span></a></li><li class="interlanguage-link interwiki-ru mw-list-item"><a href="https://ru.wikipedia.org/wiki/%D0%9F%D1%80%D0%B0%D0%B2%D0%B8%D0%BB%D0%BE_%D0%BE%D0%B3%D1%80%D0%B0%D0%BD%D0%B8%D1%87%D0%B5%D0%BD%D0%B8%D1%8F_%D0%B4%D0%BE%D0%BC%D0%B5%D0%BD%D0%B0" title="Правило ограничения домена – Russian" lang="ru" hreflang="ru" data-title="Правило ограничения домена" data-language-autonym="Русский" data-language-local-name="Russian" class="interlanguage-link-target"><span>Русский</span></a></li><li class="interlanguage-link interwiki-sr mw-list-item"><a href="https://sr.wikipedia.org/wiki/Politika_istog_izvora" title="Politika istog izvora – Serbian" lang="sr" hreflang="sr" data-title="Politika istog izvora" data-language-autonym="Српски / srpski" data-language-local-name="Serbian" class="interlanguage-link-target"><span>Српски / srpski</span></a></li><li class="interlanguage-link interwiki-fi mw-list-item"><a href="https://fi.wikipedia.org/wiki/Saman_alkuper%C3%A4n_k%C3%A4yt%C3%A4nt%C3%B6" title="Saman alkuperän käytäntö – Finnish" lang="fi" hreflang="fi" data-title="Saman alkuperän käytäntö" data-language-autonym="Suomi" data-language-local-name="Finnish" class="interlanguage-link-target"><span>Suomi</span></a></li><li class="interlanguage-link interwiki-tr mw-list-item"><a href="https://tr.wikipedia.org/wiki/Ayn%C4%B1_K%C3%B6k_Politikas%C4%B1" title="Aynı Kök Politikası – Turkish" lang="tr" hreflang="tr" data-title="Aynı Kök Politikası" data-language-autonym="Türkçe" data-language-local-name="Turkish" class="interlanguage-link-target"><span>Türkçe</span></a></li><li class="interlanguage-link interwiki-uk mw-list-item"><a href="https://uk.wikipedia.org/wiki/%D0%9F%D0%BE%D0%BB%D1%96%D1%82%D0%B8%D0%BA%D0%B0_%D1%82%D0%BE%D0%B3%D0%BE_%D0%B6_%D0%BF%D0%BE%D1%85%D0%BE%D0%B4%D0%B6%D0%B5%D0%BD%D0%BD%D1%8F" title="Політика того ж походження – Ukrainian" lang="uk" hreflang="uk" data-title="Політика того ж походження" data-language-autonym="Українська" data-language-local-name="Ukrainian" class="interlanguage-link-target"><span>Українська</span></a></li><li class="interlanguage-link interwiki-zh mw-list-item"><a href="https://zh.wikipedia.org/wiki/%E5%90%8C%E6%BA%90%E7%AD%96%E7%95%A5" title="同源策略 – Chinese" lang="zh" hreflang="zh" data-title="同源策略" data-language-autonym="中文" data-language-local-name="Chinese" class="interlanguage-link-target"><span>中文</span></a></li> </ul> <div class="after-portlet after-portlet-lang"><span class="wb-langlinks-edit wb-langlinks-link"><a href="https://www.wikidata.org/wiki/Special:EntityPage/Q2031810#sitelinks-wikipedia" title="Edit interlanguage links" class="wbc-editpage">Edit links</a></span></div> </div> </div> </div> </header> <div class="vector-page-toolbar"> <div class="vector-page-toolbar-container"> <div id="left-navigation"> <nav aria-label="Namespaces"> <div id="p-associated-pages" class="vector-menu vector-menu-tabs mw-portlet mw-portlet-associated-pages" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="ca-nstab-main" class="selected vector-tab-noicon mw-list-item"><a href="/wiki/Same-origin_policy" title="View the content page [c]" accesskey="c"><span>Article</span></a></li><li id="ca-talk" class="vector-tab-noicon mw-list-item"><a href="/wiki/Talk:Same-origin_policy" rel="discussion" title="Discuss improvements to the content page [t]" accesskey="t"><span>Talk</span></a></li> </ul> </div> </div> <div id="vector-variants-dropdown" class="vector-dropdown emptyPortlet" > <input type="checkbox" id="vector-variants-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-variants-dropdown" class="vector-dropdown-checkbox " aria-label="Change language variant" > <label id="vector-variants-dropdown-label" for="vector-variants-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet" aria-hidden="true" ><span class="vector-dropdown-label-text">English</span> </label> <div class="vector-dropdown-content"> <div id="p-variants" class="vector-menu mw-portlet mw-portlet-variants emptyPortlet" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> </ul> </div> </div> </div> </div> </nav> </div> <div id="right-navigation" class="vector-collapsible"> <nav aria-label="Views"> <div id="p-views" class="vector-menu vector-menu-tabs mw-portlet mw-portlet-views" > <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="ca-view" class="selected vector-tab-noicon mw-list-item"><a href="/wiki/Same-origin_policy"><span>Read</span></a></li><li id="ca-edit" class="vector-tab-noicon mw-list-item"><a href="/w/index.php?title=Same-origin_policy&action=edit" title="Edit this page [e]" accesskey="e"><span>Edit</span></a></li><li id="ca-history" class="vector-tab-noicon mw-list-item"><a href="/w/index.php?title=Same-origin_policy&action=history" title="Past revisions of this page [h]" accesskey="h"><span>View history</span></a></li> </ul> </div> </div> </nav> <nav class="vector-page-tools-landmark" aria-label="Page tools"> <div id="vector-page-tools-dropdown" class="vector-dropdown vector-page-tools-dropdown" > <input type="checkbox" id="vector-page-tools-dropdown-checkbox" role="button" aria-haspopup="true" data-event-name="ui.dropdown-vector-page-tools-dropdown" class="vector-dropdown-checkbox " aria-label="Tools" > <label id="vector-page-tools-dropdown-label" for="vector-page-tools-dropdown-checkbox" class="vector-dropdown-label cdx-button cdx-button--fake-button cdx-button--fake-button--enabled cdx-button--weight-quiet" aria-hidden="true" ><span class="vector-dropdown-label-text">Tools</span> </label> <div class="vector-dropdown-content"> <div id="vector-page-tools-unpinned-container" class="vector-unpinned-container"> <div id="vector-page-tools" class="vector-page-tools vector-pinnable-element"> <div class="vector-pinnable-header vector-page-tools-pinnable-header vector-pinnable-header-unpinned" data-feature-name="page-tools-pinned" data-pinnable-element-id="vector-page-tools" data-pinned-container-id="vector-page-tools-pinned-container" data-unpinned-container-id="vector-page-tools-unpinned-container" > <div class="vector-pinnable-header-label">Tools</div> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-pin-button" data-event-name="pinnable-header.vector-page-tools.pin">move to sidebar</button> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-unpin-button" data-event-name="pinnable-header.vector-page-tools.unpin">hide</button> </div> <div id="p-cactions" class="vector-menu mw-portlet mw-portlet-cactions emptyPortlet vector-has-collapsible-items" title="More options" > <div class="vector-menu-heading"> Actions </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="ca-more-view" class="selected vector-more-collapsible-item mw-list-item"><a href="/wiki/Same-origin_policy"><span>Read</span></a></li><li id="ca-more-edit" class="vector-more-collapsible-item mw-list-item"><a href="/w/index.php?title=Same-origin_policy&action=edit" title="Edit this page [e]" accesskey="e"><span>Edit</span></a></li><li id="ca-more-history" class="vector-more-collapsible-item mw-list-item"><a href="/w/index.php?title=Same-origin_policy&action=history"><span>View history</span></a></li> </ul> </div> </div> <div id="p-tb" class="vector-menu mw-portlet mw-portlet-tb" > <div class="vector-menu-heading"> General </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="t-whatlinkshere" class="mw-list-item"><a href="/wiki/Special:WhatLinksHere/Same-origin_policy" title="List of all English Wikipedia pages containing links to this page [j]" accesskey="j"><span>What links here</span></a></li><li id="t-recentchangeslinked" class="mw-list-item"><a href="/wiki/Special:RecentChangesLinked/Same-origin_policy" rel="nofollow" title="Recent changes in pages linked from this page [k]" accesskey="k"><span>Related changes</span></a></li><li id="t-upload" class="mw-list-item"><a href="/wiki/Wikipedia:File_Upload_Wizard" title="Upload files [u]" accesskey="u"><span>Upload file</span></a></li><li id="t-specialpages" class="mw-list-item"><a href="/wiki/Special:SpecialPages" title="A list of all special pages [q]" accesskey="q"><span>Special pages</span></a></li><li id="t-permalink" class="mw-list-item"><a href="/w/index.php?title=Same-origin_policy&oldid=1258032465" title="Permanent link to this revision of this page"><span>Permanent link</span></a></li><li id="t-info" class="mw-list-item"><a href="/w/index.php?title=Same-origin_policy&action=info" title="More information about this page"><span>Page information</span></a></li><li id="t-cite" class="mw-list-item"><a href="/w/index.php?title=Special:CiteThisPage&page=Same-origin_policy&id=1258032465&wpFormIdentifier=titleform" title="Information on how to cite this page"><span>Cite this page</span></a></li><li id="t-urlshortener" class="mw-list-item"><a href="/w/index.php?title=Special:UrlShortener&url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FSame-origin_policy"><span>Get shortened URL</span></a></li><li id="t-urlshortener-qrcode" class="mw-list-item"><a href="/w/index.php?title=Special:QrCode&url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FSame-origin_policy"><span>Download QR code</span></a></li> </ul> </div> </div> <div id="p-coll-print_export" class="vector-menu mw-portlet mw-portlet-coll-print_export" > <div class="vector-menu-heading"> Print/export </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="coll-download-as-rl" class="mw-list-item"><a href="/w/index.php?title=Special:DownloadAsPdf&page=Same-origin_policy&action=show-download-screen" title="Download this page as a PDF file"><span>Download as PDF</span></a></li><li id="t-print" class="mw-list-item"><a href="/w/index.php?title=Same-origin_policy&printable=yes" title="Printable version of this page [p]" accesskey="p"><span>Printable version</span></a></li> </ul> </div> </div> <div id="p-wikibase-otherprojects" class="vector-menu mw-portlet mw-portlet-wikibase-otherprojects" > <div class="vector-menu-heading"> In other projects </div> <div class="vector-menu-content"> <ul class="vector-menu-content-list"> <li id="t-wikibase" class="wb-otherproject-link wb-otherproject-wikibase-dataitem mw-list-item"><a href="https://www.wikidata.org/wiki/Special:EntityPage/Q2031810" title="Structured data on this page hosted by Wikidata [g]" accesskey="g"><span>Wikidata item</span></a></li> </ul> </div> </div> </div> </div> </div> </div> </nav> </div> </div> </div> <div class="vector-column-end"> <div class="vector-sticky-pinned-container"> <nav class="vector-page-tools-landmark" aria-label="Page tools"> <div id="vector-page-tools-pinned-container" class="vector-pinned-container"> </div> </nav> <nav class="vector-appearance-landmark" aria-label="Appearance"> <div id="vector-appearance-pinned-container" class="vector-pinned-container"> <div id="vector-appearance" class="vector-appearance vector-pinnable-element"> <div class="vector-pinnable-header vector-appearance-pinnable-header vector-pinnable-header-pinned" data-feature-name="appearance-pinned" data-pinnable-element-id="vector-appearance" data-pinned-container-id="vector-appearance-pinned-container" data-unpinned-container-id="vector-appearance-unpinned-container" > <div class="vector-pinnable-header-label">Appearance</div> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-pin-button" data-event-name="pinnable-header.vector-appearance.pin">move to sidebar</button> <button class="vector-pinnable-header-toggle-button vector-pinnable-header-unpin-button" data-event-name="pinnable-header.vector-appearance.unpin">hide</button> </div> </div> </div> </nav> </div> </div> <div id="bodyContent" class="vector-body" aria-labelledby="firstHeading" data-mw-ve-target-container> <div class="vector-body-before-content"> <div class="mw-indicators"> </div> <div id="siteSub" class="noprint">From Wikipedia, the free encyclopedia</div> </div> <div id="contentSub"><div id="mw-content-subtitle"></div></div> <div id="mw-content-text" class="mw-body-content"><div class="mw-content-ltr mw-parser-output" lang="en" dir="ltr"><div class="shortdescription nomobile noexcerpt noprint searchaux" style="display:none">Security measure for client-side scripting</div> <p>In computing, the <b>same-origin policy</b> (<b>SOP</b>) is a concept in the web-app application security model. Under the policy, a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same <i>origin</i>. An origin is defined as a combination of URI scheme, host name, and port number. This policy prevents a malicious script on one page from obtaining access to sensitive data on another web page through that page's (DOM). </p><p>This mechanism bears a particular significance for modern web applications that extensively depend on HTTPS cookies to maintain authenticated user sessions, as servers act based on the HTTP cookie information to reveal sensitive information or take state-changing actions. A strict separation between content provided by unrelated sites must be maintained on the client-side to prevent the loss of data confidentiality or integrity. </p><p>The same-origin policy applies only to scripts. This means that resources such as images, CSS, and dynamically loaded scripts can be accessed across origins via the corresponding HTML tags (with fonts being a notable exception). Attacks take advantage of the fact that the same origin policy does not apply to HTML tags. </p> <meta property="mw:PageProp/toc" /> <div class="mw-heading mw-heading2"><h2 id="History">History</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Same-origin_policy&action=edit&section=1" title="Edit section: History"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>The concept of same-origin policy was introduced by <a href="/wiki/Netscape_Navigator_2" title="Netscape Navigator 2">Netscape Navigator 2.02</a> in 1995,<sup id="cite_ref-1" class="reference"><a href="#cite_note-1"><span class="cite-bracket">[</span>1<span class="cite-bracket">]</span></a></sup> shortly after the introduction of <a href="/wiki/JavaScript" title="JavaScript">JavaScript</a> in Netscape 2.0.<sup id="cite_ref-2" class="reference"><a href="#cite_note-2"><span class="cite-bracket">[</span>2<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-3" class="reference"><a href="#cite_note-3"><span class="cite-bracket">[</span>3<span class="cite-bracket">]</span></a></sup> JavaScript enabled <a href="/wiki/Scripting_language" title="Scripting language">scripting</a> on web pages, and in particular programmatic access to the Document Object Model (DOM). </p><p>The policy was originally designed to protect access to the DOM, but has since been broadened to protect sensitive parts of the global JavaScript object. </p> <div class="mw-heading mw-heading2"><h2 id="Implementation">Implementation</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Same-origin_policy&action=edit&section=2" title="Edit section: Implementation"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>All modern browsers implement some form of the same-origin policy as it is an important security cornerstone.<sup id="cite_ref-4" class="reference"><a href="#cite_note-4"><span class="cite-bracket">[</span>4<span class="cite-bracket">]</span></a></sup> The policies are not required to match an exact specification<sup id="cite_ref-W3C_Same_Origin_Document_5-0" class="reference"><a href="#cite_note-W3C_Same_Origin_Document-5"><span class="cite-bracket">[</span>5<span class="cite-bracket">]</span></a></sup> but are often extended to define roughly compatible security boundaries for other web technologies, such as <a href="/wiki/Microsoft_Silverlight" title="Microsoft Silverlight">Microsoft Silverlight</a>, <a href="/wiki/Adobe_Flash" title="Adobe Flash">Adobe Flash</a>, or <a href="/wiki/Adobe_Acrobat" title="Adobe Acrobat">Adobe Acrobat</a>, or for mechanisms other than direct DOM manipulation, such as <a href="/wiki/XMLHttpRequest" title="XMLHttpRequest">XMLHttpRequest</a>. </p> <div class="mw-heading mw-heading2"><h2 id="Origin_determination_rules">Origin determination rules</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Same-origin_policy&action=edit&section=3" title="Edit section: Origin determination rules"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>The algorithm used to calculate the "origin" of a URI is specified in RFC 6454, Section 4. For absolute URIs, the origin is the triple {scheme, host, port}. If the URI does not use a hierarchical element as a naming authority (see <a href="//tools.ietf.org/html/rfc3986" class="extiw" title="rfc:3986">RFC 3986</a>, Section 3.2) or if the URI is not an absolute URI, then a globally unique identifier is used. Two resources are considered to be of the same origin if and only if all these values are exactly the same. </p><p>To illustrate, the following table gives an overview of typical outcomes for checks against the <a href="/wiki/Uniform_Resource_Locator" class="mw-redirect" title="Uniform Resource Locator">URL</a> "<b>http://www.example.com/dir/page.html</b>". </p> <table class="wikitable sortable mw-collapsible"> <caption> </caption> <tbody><tr> <th>Compared URL </th> <th>Outcome </th> <th>Reason </th></tr> <tr> <td><b>http://www.example.com</b>/dir/page2.html </td> <td style="background:#9EFF9E;color:black;vertical-align:middle;text-align:center;" class="table-yes">Success </td> <td>Same scheme, host and port </td></tr> <tr> <td><b>http://www.example.com</b>/dir2/other.html </td> <td style="background:#9EFF9E;color:black;vertical-align:middle;text-align:center;" class="table-yes">Success </td> <td>Same scheme, host and port </td></tr> <tr> <td><b>http://</b>username:password@<b>www.example.com</b>/dir2/other.html </td> <td style="background:#9EFF9E;color:black;vertical-align:middle;text-align:center;" class="table-yes">Success </td> <td>Same scheme, host and port </td></tr> <tr> <td>http://www.example.com:<b>80</b>/dir/other.html </td> <td style="background:#9EFF9E;color:black;vertical-align:middle;text-align:center;" class="table-yes">Success </td> <td>Most modern browsers implicitly assign the protocol's default port when omitted.<sup id="cite_ref-6" class="reference"><a href="#cite_note-6"><span class="cite-bracket">[</span>6<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-7" class="reference"><a href="#cite_note-7"><span class="cite-bracket">[</span>7<span class="cite-bracket">]</span></a></sup> </td></tr> <tr> <td>http://www.example.com:<b>81</b>/dir/other.html </td> <td style="background:#FFC7C7;color:black;vertical-align:middle;text-align:center;" class="table-no">Failure </td> <td>Same scheme and host but different port </td></tr> <tr> <td><b>https</b>://www.example.com/dir/other.html </td> <td style="background:#FFC7C7;color:black;vertical-align:middle;text-align:center;" class="table-no">Failure </td> <td>Different scheme </td></tr> <tr> <td>http://<b>en.example.com</b>/dir/other.html </td> <td style="background:#FFC7C7;color:black;vertical-align:middle;text-align:center;" class="table-no">Failure </td> <td>Different host </td></tr> <tr> <td>http://<b>example.com</b>/dir/other.html </td> <td style="background:#FFC7C7;color:black;vertical-align:middle;text-align:center;" class="table-no">Failure </td> <td>Different host (exact match required) </td></tr> <tr> <td>http://<b>v2.www.example.com</b>/dir/other.html </td> <td style="background:#FFC7C7;color:black;vertical-align:middle;text-align:center;" class="table-no">Failure </td> <td>Different host (exact match required) </td></tr> <tr> <td><b>data</b>:image/gif;base64,R0lGODlhAQABAAAAACwAAAAAAQABAAA= </td> <td style="background:#FFC7C7;color:black;vertical-align:middle;text-align:center;" class="table-no">Failure </td> <td>Different scheme </td></tr> </tbody></table> <p>Unlike other browsers, Internet Explorer does not include the port in the calculation of the origin, using the Security Zone in its place.<sup id="cite_ref-8" class="reference"><a href="#cite_note-8"><span class="cite-bracket">[</span>8<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading2"><h2 id="Read_access_to_sensitive_cross-origin_responses_via_reusable_authentication">Read access to sensitive cross-origin responses via reusable authentication</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Same-origin_policy&action=edit&section=4" title="Edit section: Read access to sensitive cross-origin responses via reusable authentication"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>The same-origin policy protects against reusing authenticated sessions across origins. The following example illustrates a potential security risk that could arise without the same-origin policy. Assume that a user is visiting a banking website and doesn't log out. Then, the user goes to another site that has malicious JavaScript code that requests data from the banking site. Because the user is still logged in on the banking site, the malicious code could do anything the user could do on the banking site. For example, it could get a list of the user's last transactions, create a new transaction, etc. This is because, in the original spirit of a World Wide Web, browsers are required to tag along authentication details such as session cookies and platform-level kinds of the Authorization request header to the banking site based on the domain of the banking site. </p><p>The bank site owners would expect that regular browsers of users visiting the malicious site do not allow the code loaded from the malicious site access the banking session cookie or platform-level authorization. While it is true that JavaScript has no direct access to the banking session cookie, it could still send and receive requests to the banking site with the banking site's session cookie. Same Origin Policy was introduced as a requirement for security-minded browsers to deny read access to responses from across origins, with the assumption that the majority of users choose to use compliant browsers. The policy does not deny writes. Counteracting the abuse of the write permission requires additional <a href="/wiki/Cross-site_request_forgery" title="Cross-site request forgery">CSRF</a> protections by the target sites. </p> <div class="mw-heading mw-heading2"><h2 id="Relaxing_the_same-origin_policy">Relaxing the same-origin policy</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Same-origin_policy&action=edit&section=5" title="Edit section: Relaxing the same-origin policy"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>In some circumstances, the same-origin policy is too restrictive, posing problems for large websites that use multiple <a href="/wiki/Subdomain" title="Subdomain">subdomains</a>. At first, a number of workarounds such as using the <a href="/wiki/Fragment_identifier" class="mw-redirect" title="Fragment identifier">fragment identifier</a> or the <code>window.name</code> property were used to pass data between documents residing in different domains. Modern browsers support multiple techniques for relaxing the same-origin policy in a controlled manner: </p> <div class="mw-heading mw-heading3"><h3 id="Data_tainting">Data tainting</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Same-origin_policy&action=edit&section=6" title="Edit section: Data tainting"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p><a href="/wiki/Netscape_Navigator" title="Netscape Navigator">Netscape Navigator</a> briefly contained a <a href="/wiki/Taint_checking" title="Taint checking">taint checking</a> feature. The feature was experimentally introduced in 1997 as part of Netscape 3.<sup id="cite_ref-:0_9-0" class="reference"><a href="#cite_note-:0-9"><span class="cite-bracket">[</span>9<span class="cite-bracket">]</span></a></sup> The feature was turned off by default, but if enabled by a user it would allow websites to attempt to read JavaScript properties of windows and <a href="/wiki/Frame_(World_Wide_Web)" title="Frame (World Wide Web)">frames</a> belonging to a different domain. The browser would then ask the user whether to permit the access in question.<sup id="cite_ref-10" class="reference"><a href="#cite_note-10"><span class="cite-bracket">[</span>10<span class="cite-bracket">]</span></a></sup><sup id="cite_ref-11" class="reference"><a href="#cite_note-11"><span class="cite-bracket">[</span>11<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading3"><h3 id="document.domain_property">document.domain property</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Same-origin_policy&action=edit&section=7" title="Edit section: document.domain property"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>If two windows (or frames) contain scripts that set domain to the same value, the same-origin policy is relaxed for these two windows, and each window can interact with the other. For example, cooperating scripts in documents loaded from orders.example.com and catalog.example.com might set their <code>document.domain</code> properties to “example.com”, thereby making the documents appear to have the same origin and enabling each document to read properties of the other. Setting this property implicitly sets the port to null, which most browsers will interpret differently from port 80 or even an unspecified port. To assure that access will be allowed by the browser, set the document.domain property of both pages.<sup id="cite_ref-12" class="reference"><a href="#cite_note-12"><span class="cite-bracket">[</span>12<span class="cite-bracket">]</span></a></sup> </p><p>The <code>document.domain</code> concept was introduced as part of Netscape Navigator 3,<sup id="cite_ref-13" class="reference"><a href="#cite_note-13"><span class="cite-bracket">[</span>13<span class="cite-bracket">]</span></a></sup> released in 1996.<sup id="cite_ref-:0_9-1" class="reference"><a href="#cite_note-:0-9"><span class="cite-bracket">[</span>9<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading3"><h3 id="Cross-Origin_Resource_Sharing">Cross-Origin Resource Sharing</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Same-origin_policy&action=edit&section=8" title="Edit section: Cross-Origin Resource Sharing"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>The other technique for relaxing the same-origin policy is standardized under the name <a href="/wiki/Cross-origin_resource_sharing" title="Cross-origin resource sharing">Cross-Origin Resource Sharing</a> (CORS). This standard extends HTTP with a new Origin request header and a new Access-Control-Allow-Origin response header.<sup id="cite_ref-14" class="reference"><a href="#cite_note-14"><span class="cite-bracket">[</span>14<span class="cite-bracket">]</span></a></sup> It allows servers to use a header to explicitly list origins that may request a file or to use a wildcard and allow a file to be requested by any site. Browsers such as Firefox 3.5, Safari 4 and Internet Explorer 10 use this header to allow the cross-origin HTTP requests with XMLHttpRequest that would otherwise have been forbidden by the same-origin policy. </p> <div class="mw-heading mw-heading3"><h3 id="Cross-document_messaging">Cross-document messaging</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Same-origin_policy&action=edit&section=9" title="Edit section: Cross-document messaging"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>Another technique, <a href="/wiki/Cross-document_messaging" class="mw-redirect" title="Cross-document messaging">cross-document messaging</a> allows a script from one page to pass textual messages to a script on another page regardless of the script origins. Calling the postMessage() method on a Window object asynchronously fires an "onmessage" event in that window, triggering any user-defined event handlers. A script in one page still cannot directly access methods or variables in the other page, but they can communicate safely through this message-passing technique. </p> <div class="mw-heading mw-heading3"><h3 id="JSONP">JSONP</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Same-origin_policy&action=edit&section=10" title="Edit section: JSONP"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <style data-mw-deduplicate="TemplateStyles:r1236090951">.mw-parser-output .hatnote{font-style:italic}.mw-parser-output div.hatnote{padding-left:1.6em;margin-bottom:0.5em}.mw-parser-output .hatnote i{font-style:normal}.mw-parser-output .hatnote+link+.hatnote{margin-top:-0.5em}@media print{body.ns-0 .mw-parser-output .hatnote{display:none!important}}</style><div role="note" class="hatnote navigation-not-searchable">Main article: <a href="/wiki/JSONP" title="JSONP">JSONP</a></div> <p>Since HTML <code><script></code> elements are allowed to retrieve and execute content from other domains, a page can bypass the same-origin policy and receive JSON data from a different domain by loading a resource that returns a JSONP payload. JSONP payloads consist of an internal JSON payload wrapped by a pre-defined function call. When the script resource is loaded by the browser, the designated callback function will be invoked to process the wrapped JSON payload. </p> <div class="mw-heading mw-heading3"><h3 id="WebSockets">WebSockets</h3><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Same-origin_policy&action=edit&section=11" title="Edit section: WebSockets"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1236090951"><div role="note" class="hatnote navigation-not-searchable">Main article: <a href="/wiki/WebSocket" title="WebSocket">WebSocket</a></div> <p>Modern browsers will permit a script to connect to a WebSocket address without applying the same-origin policy. However, they recognize when a WebSocket URI is used, and insert an <b>Origin:</b> header into the request that indicates the origin of the script requesting the connection. To ensure cross-site security, the WebSocket server must compare the header data against an allowlist of origins permitted to receive a reply. </p> <div class="mw-heading mw-heading2"><h2 id="Corner_cases">Corner cases</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Same-origin_policy&action=edit&section=12" title="Edit section: Corner cases"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>The behavior of same-origin checks and related mechanisms is not well-defined in a number of corner cases such as for pseudo-protocols that do not have a clearly defined host name or port associated with their URLs (<a href="/wiki/File_URI_scheme" title="File URI scheme">file:</a>, data:, etc.). This historically caused a fair number of security problems, such as the generally undesirable ability of any locally stored HTML file to access all other files on the disk, or communicate with any site on the Internet. </p><p>Lastly, certain types of attacks, such as DNS rebinding or server-side proxies, permit the host name check to be partly subverted, and make it possible for rogue web pages to directly interact with sites through addresses other than their "true", canonical origin. The impact of such attacks is limited to very specific scenarios, since the browser still believes that it is interacting with the attacker's site, and therefore does not disclose third-party cookies or other sensitive information to the attacker. </p> <div class="mw-heading mw-heading2"><h2 id="Attacks">Attacks</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Same-origin_policy&action=edit&section=13" title="Edit section: Attacks"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <div class="mw-heading mw-heading4"><h4 id="Reading_Information">Reading Information</h4><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Same-origin_policy&action=edit&section=14" title="Edit section: Reading Information"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>Even when same-origin policy is in effect (without being relaxed by Cross-Origin Resource Sharing), certain cross-origin attacks can be performed. <a href="/wiki/WebRTC" title="WebRTC">WebRTC</a> can be used to find out the internal IP address of a victim<sup id="cite_ref-15" class="reference"><a href="#cite_note-15"><span class="cite-bracket">[</span>15<span class="cite-bracket">]</span></a></sup>. If attempting to connect to a cross-origin port, responses cannot be read in face of same-origin policy, but a <a href="/wiki/JavaScript" title="JavaScript">JavaScript</a> can still make inferences on whether the port is open or closed by checking if the onload/onerror event fires, or if we get a timeout. This gives opportunities for cross-origin <a href="/wiki/Portscanning" class="mw-redirect" title="Portscanning">portscanning</a>. </p><p>Further, JavaScript snippets can use techniques like cross-site leaks<sup id="cite_ref-16" class="reference"><a href="#cite_note-16"><span class="cite-bracket">[</span>16<span class="cite-bracket">]</span></a></sup> to exploit long-standing information leakages in the browser to infer information cross-origin. These attacks can be counteracted by implementing a Cross-Origin Resource Policy (CORP) header, which allows a website owner to block cross-origin or cross-site resources, like images, videos, and stylesheets. CORP can also block JavaScript-initiated <code>fetch</code> requests, but only if they are sent with the <code>no-cors</code><sup id="cite_ref-17" class="reference"><a href="#cite_note-17"><span class="cite-bracket">[</span>17<span class="cite-bracket">]</span></a></sup> request mode.<sup id="cite_ref-18" class="reference"><a href="#cite_note-18"><span class="cite-bracket">[</span>18<span class="cite-bracket">]</span></a></sup> </p> <div class="mw-heading mw-heading4"><h4 id="Writing_Information_(CSRF)"><span id="Writing_Information_.28CSRF.29"></span>Writing Information (CSRF)</h4><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Same-origin_policy&action=edit&section=15" title="Edit section: Writing Information (CSRF)"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1236090951"><div role="note" class="hatnote navigation-not-searchable">Main article: <a href="/wiki/Cross-site_request_forgery" title="Cross-site request forgery">Cross-site request forgery</a></div> <p>The same-origin policy does not prevent the browser from making GET, OPTIONS, and TRACE requests; it only prevents the responses from being read by user code. Therefore, if an endpoint uses a one of these "safe" request methods to write information or perform an action on a user's behalf, it can be exploited by attackers. </p> <div class="mw-heading mw-heading4"><h4 id="Leaking_or_Writing_Information_via_Cookies">Leaking or Writing Information via Cookies</h4><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Same-origin_policy&action=edit&section=16" title="Edit section: Leaking or Writing Information via Cookies"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <p>Note that the Same-Origin Policy does not apply to <a href="/wiki/HTTP_cookie" title="HTTP cookie">cookies</a> for historical reasons<sup id="cite_ref-19" class="reference"><a href="#cite_note-19"><span class="cite-bracket">[</span>19<span class="cite-bracket">]</span></a></sup>. If multiple adversarial sites are deployed on the same hostname with different port numbers, contrary to the SOP, all cookies set by any of the sites are shared. This can be used to leak users' session tokens and steal account information. Therefore, web services should be separated by differentiating <a href="/wiki/Subdomain" title="Subdomain">subdomains</a> rather than port numbers. </p> <div class="mw-heading mw-heading2"><h2 id="See_also">See also</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Same-origin_policy&action=edit&section=17" title="Edit section: See also"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <ul><li><a href="/wiki/Cross-origin_resource_sharing" title="Cross-origin resource sharing">Cross-origin resource sharing</a></li> <li><a href="/wiki/Cross-site_scripting" title="Cross-site scripting">Cross-site scripting</a></li> <li><a href="/wiki/Cross-site_request_forgery" title="Cross-site request forgery">Cross-site request forgery</a></li> <li><a href="/wiki/Site_isolation" title="Site isolation">Site isolation</a></li> <li><a href="/wiki/Content_Security_Policy" title="Content Security Policy">Content Security Policy</a></li></ul> <div class="mw-heading mw-heading2"><h2 id="Further_reading">Further reading</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Same-origin_policy&action=edit&section=18" title="Edit section: Further reading"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <ul><li><a rel="nofollow" class="external text" href="https://www.aosabook.org/en/500L/the-same-origin-policy.html">The Same-Origin Policy</a> in <i>500 Lines or Less</i>.</li></ul> <div class="mw-heading mw-heading2"><h2 id="References">References</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Same-origin_policy&action=edit&section=19" title="Edit section: References"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <style data-mw-deduplicate="TemplateStyles:r1239543626">.mw-parser-output .reflist{margin-bottom:0.5em;list-style-type:decimal}@media screen{.mw-parser-output .reflist{font-size:90%}}.mw-parser-output .reflist .references{font-size:100%;margin-bottom:0;list-style-type:inherit}.mw-parser-output .reflist-columns-2{column-width:30em}.mw-parser-output .reflist-columns-3{column-width:25em}.mw-parser-output .reflist-columns{margin-top:0.3em}.mw-parser-output .reflist-columns ol{margin-top:0}.mw-parser-output .reflist-columns li{page-break-inside:avoid;break-inside:avoid-column}.mw-parser-output .reflist-upper-alpha{list-style-type:upper-alpha}.mw-parser-output .reflist-upper-roman{list-style-type:upper-roman}.mw-parser-output .reflist-lower-alpha{list-style-type:lower-alpha}.mw-parser-output .reflist-lower-greek{list-style-type:lower-greek}.mw-parser-output .reflist-lower-roman{list-style-type:lower-roman}</style><div class="reflist"> <div class="mw-references-wrap mw-references-columns"><ol class="references"> <li id="cite_note-1"><span class="mw-cite-backlink"><b><a href="#cite_ref-1">^</a></b></span> <span class="reference-text"><style data-mw-deduplicate="TemplateStyles:r1238218222">.mw-parser-output cite.citation{font-style:inherit;word-wrap:break-word}.mw-parser-output .citation q{quotes:"\"""\"""'""'"}.mw-parser-output .citation:target{background-color:rgba(0,127,255,0.133)}.mw-parser-output .id-lock-free.id-lock-free a{background:url("//upload.wikimedia.org/wikipedia/commons/6/65/Lock-green.svg")right 0.1em center/9px no-repeat}.mw-parser-output .id-lock-limited.id-lock-limited a,.mw-parser-output .id-lock-registration.id-lock-registration a{background:url("//upload.wikimedia.org/wikipedia/commons/d/d6/Lock-gray-alt-2.svg")right 0.1em center/9px no-repeat}.mw-parser-output .id-lock-subscription.id-lock-subscription a{background:url("//upload.wikimedia.org/wikipedia/commons/a/aa/Lock-red-alt-2.svg")right 0.1em center/9px no-repeat}.mw-parser-output .cs1-ws-icon a{background:url("//upload.wikimedia.org/wikipedia/commons/4/4c/Wikisource-logo.svg")right 0.1em center/12px no-repeat}body:not(.skin-timeless):not(.skin-minerva) .mw-parser-output .id-lock-free a,body:not(.skin-timeless):not(.skin-minerva) .mw-parser-output .id-lock-limited a,body:not(.skin-timeless):not(.skin-minerva) .mw-parser-output .id-lock-registration a,body:not(.skin-timeless):not(.skin-minerva) .mw-parser-output .id-lock-subscription a,body:not(.skin-timeless):not(.skin-minerva) .mw-parser-output .cs1-ws-icon a{background-size:contain;padding:0 1em 0 0}.mw-parser-output .cs1-code{color:inherit;background:inherit;border:none;padding:inherit}.mw-parser-output .cs1-hidden-error{display:none;color:var(--color-error,#d33)}.mw-parser-output .cs1-visible-error{color:var(--color-error,#d33)}.mw-parser-output .cs1-maint{display:none;color:#085;margin-left:0.3em}.mw-parser-output .cs1-kern-left{padding-left:0.2em}.mw-parser-output .cs1-kern-right{padding-right:0.2em}.mw-parser-output .citation .mw-selflink{font-weight:inherit}@media screen{.mw-parser-output .cs1-format{font-size:95%}html.skin-theme-clientpref-night .mw-parser-output .cs1-maint{color:#18911f}}@media screen and (prefers-color-scheme:dark){html.skin-theme-clientpref-os .mw-parser-output .cs1-maint{color:#18911f}}</style><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://web.archive.org/web/20020808153106/http://wp.netscape.com:80/eng/mozilla/3.0/handbook/javascript/advtopic.htm#1009533">"Netscape 3.0 Handbook - Advanced topics"</a>. <i>netscape.com</i>. Archived from <a rel="nofollow" class="external text" href="http://wp.netscape.com/eng/mozilla/3.0/handbook/javascript/advtopic.htm#1009533">the original</a> on 2002-08-08<span class="reference-accessdate">. Retrieved <span class="nowrap">2020-02-16</span></span>. <q>Navigator version 2.02 and later automatically prevents scripts on one server from accessing properties of documents on a different server.</q></cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=netscape.com&rft.atitle=Netscape+3.0+Handbook+-+Advanced+topics&rft_id=http%3A%2F%2Fwp.netscape.com%2Feng%2Fmozilla%2F3.0%2Fhandbook%2Fjavascript%2Fadvtopic.htm%231009533&rfr_id=info%3Asid%2Fen.wikipedia.org%3ASame-origin+policy" class="Z3988"></span></span> </li> <li id="cite_note-2"><span class="mw-cite-backlink"><b><a href="#cite_ref-2">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://www.webdesignmuseum.org/web-design-history/javascript-1-0-1995">"JavaScript 1.0 - 1995"</a>. <i>www.webdesignmuseum.org</i><span class="reference-accessdate">. Retrieved <span class="nowrap">2020-01-19</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=www.webdesignmuseum.org&rft.atitle=JavaScript+1.0+-+1995&rft_id=https%3A%2F%2Fwww.webdesignmuseum.org%2Fweb-design-history%2Fjavascript-1-0-1995&rfr_id=info%3Asid%2Fen.wikipedia.org%3ASame-origin+policy" class="Z3988"></span></span> </li> <li id="cite_note-3"><span class="mw-cite-backlink"><b><a href="#cite_ref-3">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://web.archive.org/web/19970614000538/http://home.netscape.com/eng/mozilla/2.0/relnotes/windows-2.0.html">"Welcome to Netscape Navigator Version 2.0"</a>. <i>netscape.com</i>. 1997-06-14. Archived from <a rel="nofollow" class="external text" href="http://home.netscape.com/eng/mozilla/2.0/relnotes/windows-2.0.html">the original</a> on 1997-06-14<span class="reference-accessdate">. Retrieved <span class="nowrap">2020-02-16</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=netscape.com&rft.atitle=Welcome+to+Netscape+Navigator+Version+2.0&rft.date=1997-06-14&rft_id=http%3A%2F%2Fhome.netscape.com%2Feng%2Fmozilla%2F2.0%2Frelnotes%2Fwindows-2.0.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3ASame-origin+policy" class="Z3988"></span></span> </li> <li id="cite_note-4"><span class="mw-cite-backlink"><b><a href="#cite_ref-4">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy">"Browser Security Handbook, part 2"</a><span class="reference-accessdate">. Retrieved <span class="nowrap">31 January</span> 2014</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Browser+Security+Handbook%2C+part+2&rft_id=https%3A%2F%2Fcode.google.com%2Fp%2Fbrowsersec%2Fwiki%2FPart2%23Same-origin_policy&rfr_id=info%3Asid%2Fen.wikipedia.org%3ASame-origin+policy" class="Z3988"></span></span> </li> <li id="cite_note-W3C_Same_Origin_Document-5"><span class="mw-cite-backlink"><b><a href="#cite_ref-W3C_Same_Origin_Document_5-0">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://www.w3.org/Security/wiki/Same_Origin_Policy">"Same Origin Policy"</a>. W3C<span class="reference-accessdate">. Retrieved <span class="nowrap">31 January</span> 2014</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=Same+Origin+Policy&rft.pub=W3C&rft_id=https%3A%2F%2Fwww.w3.org%2FSecurity%2Fwiki%2FSame_Origin_Policy&rfr_id=info%3Asid%2Fen.wikipedia.org%3ASame-origin+policy" class="Z3988"></span></span> </li> <li id="cite_note-6"><span class="mw-cite-backlink"><b><a href="#cite_ref-6">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFKitamura" class="citation web cs1">Kitamura, Eiji. <a rel="nofollow" class="external text" href="https://web.dev/same-site-same-origin/">"Understanding "same-site" and "same-origin"<span class="cs1-kern-right"></span>"</a>. <i>Web.dev</i>. Google<span class="reference-accessdate">. Retrieved <span class="nowrap">26 January</span> 2023</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=Web.dev&rft.atitle=Understanding+%22same-site%22+and+%22same-origin%22&rft.aulast=Kitamura&rft.aufirst=Eiji&rft_id=https%3A%2F%2Fweb.dev%2Fsame-site-same-origin%2F&rfr_id=info%3Asid%2Fen.wikipedia.org%3ASame-origin+policy" class="Z3988"></span></span> </li> <li id="cite_note-7"><span class="mw-cite-backlink"><b><a href="#cite_ref-7">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Origin">"Origin"</a>. <i>Mozilla Developer Network Web Docs</i>. Mozilla<span class="reference-accessdate">. Retrieved <span class="nowrap">26 January</span> 2023</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=Mozilla+Developer+Network+Web+Docs&rft.atitle=Origin&rft_id=https%3A%2F%2Fdeveloper.mozilla.org%2Fen-US%2Fdocs%2FWeb%2FHTTP%2FHeaders%2FOrigin&rfr_id=info%3Asid%2Fen.wikipedia.org%3ASame-origin+policy" class="Z3988"></span></span> </li> <li id="cite_note-8"><span class="mw-cite-backlink"><b><a href="#cite_ref-8">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFLawrence" class="citation web cs1">Lawrence, Eric. <a rel="nofollow" class="external text" href="http://blogs.msdn.com/b/ieinternals/archive/2009/08/28/explaining-same-origin-policy-part-1-deny-read.aspx">"IEInternals - Same Origin Policy Part 1"</a><span class="reference-accessdate">. Retrieved <span class="nowrap">22 October</span> 2013</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=unknown&rft.btitle=IEInternals+-+Same+Origin+Policy+Part+1&rft.aulast=Lawrence&rft.aufirst=Eric&rft_id=http%3A%2F%2Fblogs.msdn.com%2Fb%2Fieinternals%2Farchive%2F2009%2F08%2F28%2Fexplaining-same-origin-policy-part-1-deny-read.aspx&rfr_id=info%3Asid%2Fen.wikipedia.org%3ASame-origin+policy" class="Z3988"></span></span> </li> <li id="cite_note-:0-9"><span class="mw-cite-backlink">^ <a href="#cite_ref-:0_9-0"><sup><i><b>a</b></i></sup></a> <a href="#cite_ref-:0_9-1"><sup><i><b>b</b></i></sup></a></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://web.archive.org/web/19970614000558/http://home.netscape.com/eng/mozilla/3.0/relnotes/windows-3.0.html">"Netscape Navigator 3.0 - What's New"</a>. <i>netscape.com</i>. 1997-06-14. Archived from <a rel="nofollow" class="external text" href="http://home.netscape.com/eng/mozilla/3.0/relnotes/windows-3.0.html">the original</a> on 1997-06-14<span class="reference-accessdate">. Retrieved <span class="nowrap">2020-02-16</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=netscape.com&rft.atitle=Netscape+Navigator+3.0+-+What%27s+New&rft.date=1997-06-14&rft_id=http%3A%2F%2Fhome.netscape.com%2Feng%2Fmozilla%2F3.0%2Frelnotes%2Fwindows-3.0.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3ASame-origin+policy" class="Z3988"></span></span> </li> <li id="cite_note-10"><span class="mw-cite-backlink"><b><a href="#cite_ref-10">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://web.archive.org/web/20030221194605/http://devedge.netscape.com/library/manuals/2000/javascript/1.3/guide/sec.html">"JavaScript 1.3 Guide - Security"</a>. <i>netscape.com</i>. 2003-02-21. Archived from <a rel="nofollow" class="external text" href="http://devedge.netscape.com/library/manuals/2000/javascript/1.3/guide/sec.html">the original</a> on 2003-02-21<span class="reference-accessdate">. Retrieved <span class="nowrap">2020-02-16</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=netscape.com&rft.atitle=JavaScript+1.3+Guide+-+Security&rft.date=2003-02-21&rft_id=http%3A%2F%2Fdevedge.netscape.com%2Flibrary%2Fmanuals%2F2000%2Fjavascript%2F1.3%2Fguide%2Fsec.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3ASame-origin+policy" class="Z3988"></span></span> </li> <li id="cite_note-11"><span class="mw-cite-backlink"><b><a href="#cite_ref-11">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://docs.oracle.com/cd/E19957-01/816-6409-10/sec.htm#1021266">"JavaScript 1.3 Guide - Security"</a>. <i>docs.oracle.com</i>. <a rel="nofollow" class="external text" href="https://web.archive.org/web/20120824020315/https://docs.oracle.com/cd/E19957-01/816-6409-10/sec.htm">Archived</a> from the original on 2012-08-24<span class="reference-accessdate">. Retrieved <span class="nowrap">2020-02-16</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=docs.oracle.com&rft.atitle=JavaScript+1.3+Guide+-+Security&rft_id=https%3A%2F%2Fdocs.oracle.com%2Fcd%2FE19957-01%2F816-6409-10%2Fsec.htm%231021266&rfr_id=info%3Asid%2Fen.wikipedia.org%3ASame-origin+policy" class="Z3988"></span></span> </li> <li id="cite_note-12"><span class="mw-cite-backlink"><b><a href="#cite_ref-12">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFLePera" class="citation web cs1">LePera, Scott. <a rel="nofollow" class="external text" href="http://jszen.blogspot.nl/2005/03/cross-domain-security-woes.html">"Cross-domain security woes"</a>. <i>The Strange Zen Of JavaScript</i><span class="reference-accessdate">. Retrieved <span class="nowrap">4 April</span> 2014</span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=The+Strange+Zen+Of+JavaScript&rft.atitle=Cross-domain+security+woes&rft.aulast=LePera&rft.aufirst=Scott&rft_id=http%3A%2F%2Fjszen.blogspot.nl%2F2005%2F03%2Fcross-domain-security-woes.html&rfr_id=info%3Asid%2Fen.wikipedia.org%3ASame-origin+policy" class="Z3988"></span></span> </li> <li id="cite_note-13"><span class="mw-cite-backlink"><b><a href="#cite_ref-13">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://web.archive.org/web/20021003075205/http://wp.netscape.com/eng/mozilla/3.0/handbook/javascript/ref_d-e.htm">"Netscape 3.0 - JavaScript Handbook"</a>. <i>netscape.com</i>. Archived from <a rel="nofollow" class="external text" href="http://wp.netscape.com/eng/mozilla/3.0/handbook/javascript/ref_d-e.htm">the original</a> on 2002-10-03<span class="reference-accessdate">. Retrieved <span class="nowrap">2020-02-16</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=netscape.com&rft.atitle=Netscape+3.0+-+JavaScript+Handbook&rft_id=http%3A%2F%2Fwp.netscape.com%2Feng%2Fmozilla%2F3.0%2Fhandbook%2Fjavascript%2Fref_d-e.htm&rfr_id=info%3Asid%2Fen.wikipedia.org%3ASame-origin+policy" class="Z3988"></span></span> </li> <li id="cite_note-14"><span class="mw-cite-backlink"><b><a href="#cite_ref-14">^</a></b></span> <span class="reference-text"><a rel="nofollow" class="external text" href="https://www.youtube.com/watch?v=afnDANxsaYo">Creating WSGI Middleware</a></span> </li> <li id="cite_note-15"><span class="mw-cite-backlink"><b><a href="#cite_ref-15">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://www.w3.org/TR/webrtc/#revealing-ip-addresses">"WebRTC: Real-Time Communication in Browsers"</a>. <i>World Wide Web Consortium</i><span class="reference-accessdate">. Retrieved <span class="nowrap">2024-08-27</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=World+Wide+Web+Consortium&rft.atitle=WebRTC%3A+Real-Time+Communication+in+Browsers&rft_id=https%3A%2F%2Fwww.w3.org%2FTR%2Fwebrtc%2F%23revealing-ip-addresses&rfr_id=info%3Asid%2Fen.wikipedia.org%3ASame-origin+policy" class="Z3988"></span><span class="cs1-maint citation-comment"><code class="cs1-code">{{<a href="/wiki/Template:Cite_web" title="Template:Cite web">cite web</a>}}</code>: CS1 maint: url-status (<a href="/wiki/Category:CS1_maint:_url-status" title="Category:CS1 maint: url-status">link</a>)</span></span> </li> <li id="cite_note-16"><span class="mw-cite-backlink"><b><a href="#cite_ref-16">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://xsleaks.dev">"Introduction"</a>. <i>XS-Leaks Wiki</i><span class="reference-accessdate">. Retrieved <span class="nowrap">2024-10-27</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=XS-Leaks+Wiki&rft.atitle=Introduction&rft_id=https%3A%2F%2Fxsleaks.dev&rfr_id=info%3Asid%2Fen.wikipedia.org%3ASame-origin+policy" class="Z3988"></span></span> </li> <li id="cite_note-17"><span class="mw-cite-backlink"><b><a href="#cite_ref-17">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://fetch.spec.whatwg.org/#concept-request-mode">"Fetch Standard"</a>. <i>fetch.spec.whatwg.org</i><span class="reference-accessdate">. Retrieved <span class="nowrap">2024-10-27</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=fetch.spec.whatwg.org&rft.atitle=Fetch+Standard&rft_id=https%3A%2F%2Ffetch.spec.whatwg.org%2F%23concept-request-mode&rfr_id=info%3Asid%2Fen.wikipedia.org%3ASame-origin+policy" class="Z3988"></span></span> </li> <li id="cite_note-18"><span class="mw-cite-backlink"><b><a href="#cite_ref-18">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite class="citation web cs1"><a rel="nofollow" class="external text" href="https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/CORP">"Cross-Origin Resource Policy (CORP) implementation - Security on the web | MDN"</a>. <i>developer.mozilla.org</i>. 2024-08-07<span class="reference-accessdate">. Retrieved <span class="nowrap">2024-10-27</span></span>.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Ajournal&rft.genre=unknown&rft.jtitle=developer.mozilla.org&rft.atitle=Cross-Origin+Resource+Policy+%28CORP%29+implementation+-+Security+on+the+web+%7C+MDN&rft.date=2024-08-07&rft_id=https%3A%2F%2Fdeveloper.mozilla.org%2Fen-US%2Fdocs%2FWeb%2FSecurity%2FPractical_implementation_guides%2FCORP&rfr_id=info%3Asid%2Fen.wikipedia.org%3ASame-origin+policy" class="Z3988"></span></span> </li> <li id="cite_note-19"><span class="mw-cite-backlink"><b><a href="#cite_ref-19">^</a></b></span> <span class="reference-text"><link rel="mw-deduplicated-inline-style" href="mw-data:TemplateStyles:r1238218222"><cite id="CITEREFBarth2011" class="citation report cs1">Barth, Adam (2011-04-27). <a rel="nofollow" class="external text" href="https://www.rfc-editor.org/rfc/rfc6265#section-8.5">HTTP State Management Mechanism</a> (Report). Internet Engineering Task Force.</cite><span title="ctx_ver=Z39.88-2004&rft_val_fmt=info%3Aofi%2Ffmt%3Akev%3Amtx%3Abook&rft.genre=report&rft.btitle=HTTP+State+Management+Mechanism&rft.pub=Internet+Engineering+Task+Force&rft.date=2011-04-27&rft.aulast=Barth&rft.aufirst=Adam&rft_id=https%3A%2F%2Fwww.rfc-editor.org%2Frfc%2Frfc6265%23section-8.5&rfr_id=info%3Asid%2Fen.wikipedia.org%3ASame-origin+policy" class="Z3988"></span></span> </li> </ol></div></div> <div class="mw-heading mw-heading2"><h2 id="External_links">External links</h2><span class="mw-editsection"><span class="mw-editsection-bracket">[</span><a href="/w/index.php?title=Same-origin_policy&action=edit&section=20" title="Edit section: External links"><span>edit</span></a><span class="mw-editsection-bracket">]</span></span></div> <ul><li><a rel="nofollow" class="external text" href="https://code.google.com/p/browsersec/wiki/Part2#Same-origin_policy">A detailed comparison of several flavors of same-origin policies</a></li> <li><a rel="nofollow" class="external text" href="https://web.archive.org/web/20070211191158/http://taossa.com/index.php/2007/02/08/same-origin-policy/">A review of deficiencies in same-origin policies and their implication for web security</a> at the <a href="/wiki/Wayback_Machine" title="Wayback Machine">Wayback Machine</a> (archived February 11, 2007)</li> <li><a rel="nofollow" class="external text" href="https://www.mozilla.org/projects/security/components/same-origin.html">Sample vendor-provided same-origin policy specification</a></li> <li><a rel="nofollow" class="external text" href="https://www.w3.org/TR/html5/browsers.html#section-origin">The HTML5 spec's definition of Origin</a></li> <li><a rel="nofollow" class="external text" href="https://www.w3.org/Security/wiki/Same_Origin_Policy">W3C Article on the Same Origin Policy</a></li> <li><a rel="nofollow" class="external text" href="https://tools.ietf.org/html/rfc6454">RFC 6454 on The Web Origin Concept</a></li> <li><a rel="nofollow" class="external text" href="http://identitymeme.org/http-cookie-processing-algorithm-etlds/">Blog post: The Cookie Same Origin Policy</a></li> <li><a rel="nofollow" class="external text" href="https://wordpress.org/support/plugin/wp-content-security-policy/">wordpress.org plugin for Content Security Policy</a></li></ul> <!-- NewPP limit report Parsed by mw‐web.codfw.main‐f69cdc8f6‐qqs7t Cached time: 20241122143130 Cache expiry: 2592000 Reduced expiry: false Complications: [vary‐revision‐sha1, show‐toc] CPU time usage: 0.249 seconds Real time usage: 0.291 seconds Preprocessor visited node count: 1180/1000000 Post‐expand include size: 30139/2097152 bytes Template argument size: 638/2097152 bytes Highest expansion depth: 8/100 Expensive parser function count: 4/500 Unstrip recursion depth: 1/20 Unstrip post‐expand size: 62755/5000000 bytes Lua time usage: 0.152/10.000 seconds Lua memory usage: 5038684/52428800 bytes Number of Wikibase entities loaded: 0/400 --> <!-- Transclusion expansion time report (%,ms,calls,template) 100.00% 261.878 1 -total 62.20% 162.901 1 Template:Reflist 52.10% 136.439 17 Template:Cite_web 20.04% 52.491 1 Template:Short_description 12.28% 32.166 2 Template:Pagetype 8.71% 22.810 3 Template:Main 4.48% 11.745 3 Template:Main_other 3.88% 10.154 1 Template:SDcat 2.72% 7.127 1 Template:Webarchive 1.72% 4.504 1 Template:Cite_report --> <!-- Saved in parser cache with key enwiki:pcache:idhash:1883276-0!canonical and timestamp 20241122143130 and revision id 1258032465. Rendering was triggered because: page-view --> </div><!--esi <esi:include src="/esitest-fa8a495983347898/content" /> --><noscript><img src="https://login.wikimedia.org/wiki/Special:CentralAutoLogin/start?type=1x1" alt="" width="1" height="1" style="border: none; position: absolute;"></noscript> <div class="printfooter" data-nosnippet="">Retrieved from "<a dir="ltr" href="https://en.wikipedia.org/w/index.php?title=Same-origin_policy&oldid=1258032465">https://en.wikipedia.org/w/index.php?title=Same-origin_policy&oldid=1258032465</a>"</div></div> <div id="catlinks" class="catlinks" data-mw="interface"><div id="mw-normal-catlinks" class="mw-normal-catlinks"><a href="/wiki/Help:Category" title="Help:Category">Categories</a>: <ul><li><a href="/wiki/Category:Computer_network_security" title="Category:Computer network security">Computer network security</a></li><li><a href="/wiki/Category:Computer_security_procedures" title="Category:Computer security procedures">Computer security procedures</a></li><li><a href="/wiki/Category:Computer_security_standards" title="Category:Computer security standards">Computer security standards</a></li><li><a href="/wiki/Category:Hypertext_Transfer_Protocol_headers" title="Category:Hypertext Transfer Protocol headers">Hypertext Transfer Protocol headers</a></li><li><a href="/wiki/Category:Web_applications" title="Category:Web applications">Web applications</a></li></ul></div><div id="mw-hidden-catlinks" class="mw-hidden-catlinks mw-hidden-cats-hidden">Hidden categories: <ul><li><a href="/wiki/Category:CS1_maint:_url-status" title="Category:CS1 maint: url-status">CS1 maint: url-status</a></li><li><a href="/wiki/Category:Articles_with_short_description" title="Category:Articles with short description">Articles with short description</a></li><li><a href="/wiki/Category:Short_description_is_different_from_Wikidata" title="Category:Short description is different from Wikidata">Short description is different from Wikidata</a></li><li><a href="/wiki/Category:Webarchive_template_wayback_links" title="Category:Webarchive template wayback links">Webarchive template wayback links</a></li></ul></div></div> </div> </main> </div> <div class="mw-footer-container"> <footer id="footer" class="mw-footer" > <ul id="footer-info"> <li id="footer-info-lastmod"> This page was last edited on 17 November 2024, at 20:18<span class="anonymous-show"> (UTC)</span>.</li> <li id="footer-info-copyright">Text is available under the <a href="/wiki/Wikipedia:Text_of_the_Creative_Commons_Attribution-ShareAlike_4.0_International_License" title="Wikipedia:Text of the Creative Commons Attribution-ShareAlike 4.0 International License">Creative Commons Attribution-ShareAlike 4.0 License</a>; additional terms may apply. By using this site, you agree to the <a href="https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Terms_of_Use" class="extiw" title="foundation:Special:MyLanguage/Policy:Terms of Use">Terms of Use</a> and <a href="https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Privacy_policy" class="extiw" title="foundation:Special:MyLanguage/Policy:Privacy policy">Privacy Policy</a>. Wikipedia® is a registered trademark of the <a rel="nofollow" class="external text" href="https://wikimediafoundation.org/">Wikimedia Foundation, Inc.</a>, a non-profit organization.</li> </ul> <ul id="footer-places"> <li id="footer-places-privacy"><a href="https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Privacy_policy">Privacy policy</a></li> <li id="footer-places-about"><a href="/wiki/Wikipedia:About">About Wikipedia</a></li> <li id="footer-places-disclaimers"><a href="/wiki/Wikipedia:General_disclaimer">Disclaimers</a></li> <li id="footer-places-contact"><a href="//en.wikipedia.org/wiki/Wikipedia:Contact_us">Contact Wikipedia</a></li> <li id="footer-places-wm-codeofconduct"><a href="https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Universal_Code_of_Conduct">Code of Conduct</a></li> <li id="footer-places-developers"><a href="https://developer.wikimedia.org">Developers</a></li> <li id="footer-places-statslink"><a href="https://stats.wikimedia.org/#/en.wikipedia.org">Statistics</a></li> <li id="footer-places-cookiestatement"><a href="https://foundation.wikimedia.org/wiki/Special:MyLanguage/Policy:Cookie_statement">Cookie statement</a></li> <li id="footer-places-mobileview"><a href="//en.m.wikipedia.org/w/index.php?title=Same-origin_policy&mobileaction=toggle_view_mobile" class="noprint stopMobileRedirectToggle">Mobile view</a></li> </ul> <ul id="footer-icons" class="noprint"> <li id="footer-copyrightico"><a href="https://wikimediafoundation.org/" class="cdx-button cdx-button--fake-button cdx-button--size-large cdx-button--fake-button--enabled"><img src="/static/images/footer/wikimedia-button.svg" width="84" height="29" alt="Wikimedia Foundation" loading="lazy"></a></li> <li id="footer-poweredbyico"><a href="https://www.mediawiki.org/" class="cdx-button cdx-button--fake-button cdx-button--size-large cdx-button--fake-button--enabled"><img src="/w/resources/assets/poweredby_mediawiki.svg" alt="Powered by MediaWiki" width="88" height="31" loading="lazy"></a></li> </ul> </footer> </div> </div> </div> <div class="vector-settings" id="p-dock-bottom"> <ul></ul> </div><script>(RLQ=window.RLQ||[]).push(function(){mw.config.set({"wgHostname":"mw-web.codfw.main-f69cdc8f6-k672k","wgBackendResponseTime":143,"wgPageParseReport":{"limitreport":{"cputime":"0.249","walltime":"0.291","ppvisitednodes":{"value":1180,"limit":1000000},"postexpandincludesize":{"value":30139,"limit":2097152},"templateargumentsize":{"value":638,"limit":2097152},"expansiondepth":{"value":8,"limit":100},"expensivefunctioncount":{"value":4,"limit":500},"unstrip-depth":{"value":1,"limit":20},"unstrip-size":{"value":62755,"limit":5000000},"entityaccesscount":{"value":0,"limit":400},"timingprofile":["100.00% 261.878 1 -total"," 62.20% 162.901 1 Template:Reflist"," 52.10% 136.439 17 Template:Cite_web"," 20.04% 52.491 1 Template:Short_description"," 12.28% 32.166 2 Template:Pagetype"," 8.71% 22.810 3 Template:Main"," 4.48% 11.745 3 Template:Main_other"," 3.88% 10.154 1 Template:SDcat"," 2.72% 7.127 1 Template:Webarchive"," 1.72% 4.504 1 Template:Cite_report"]},"scribunto":{"limitreport-timeusage":{"value":"0.152","limit":"10.000"},"limitreport-memusage":{"value":5038684,"limit":52428800}},"cachereport":{"origin":"mw-web.codfw.main-f69cdc8f6-qqs7t","timestamp":"20241122143130","ttl":2592000,"transientcontent":false}}});});</script> <script type="application/ld+json">{"@context":"https:\/\/schema.org","@type":"Article","name":"Same-origin policy","url":"https:\/\/en.wikipedia.org\/wiki\/Same-origin_policy","sameAs":"http:\/\/www.wikidata.org\/entity\/Q2031810","mainEntity":"http:\/\/www.wikidata.org\/entity\/Q2031810","author":{"@type":"Organization","name":"Contributors to Wikimedia projects"},"publisher":{"@type":"Organization","name":"Wikimedia Foundation, Inc.","logo":{"@type":"ImageObject","url":"https:\/\/www.wikimedia.org\/static\/images\/wmf-hor-googpub.png"}},"datePublished":"2005-05-13T21:05:04Z","dateModified":"2024-11-17T20:18:25Z","headline":"web security concept"}</script> </body> </html>