Same-Origin Policy (SOP) and Cross-Origin Resource Sharing (CORS) 101
Same-Origin Policy (SOP)
We shall explore the definition and implementation of same-origin policy (SOP) in this section.
Consider that the manager of your apartment building is your web browser and Every website is an apartment. Each website is like a unique apartment and maintains private belongings such as cookies and passwords. JavaScript resembles a local: JavaScript code operates within the website’s apartment assisting with multiple tasks and responsibilities.
The SOP is the security policy for the building.
“No snooping in other apartments!” One website’s JavaScript cannot directly access or modify data in another website’s apartment. This stops sneaky neighbors, sometimes known as malicious scripts, from taking anything from you or tampering with it.
Scripts on one origin cannot access data from another origin due to the Same Origin Policy. A URL scheme (protocol), hostname (domain) and port number make up an origin.
URL:
The short string of characters, numbers, and symbols known as the Uniform Resource Locator (URL) is what a computer uses to locate and access resources on a network, including files, photos, videos, and other material.
URL scheme:
The initial section of the URL, known as the URL scheme, specifies the protocol to be followed to access the resource.
Domain:
A domain is associated with an IP (Internet Protocol) address, which is a numerical label assigned to each device connected to a computer network that uses the Internet Protocol for communication.
Domain name:
A human-readable name or address that links to a particular IP address on the internet is called a domain name. It gives users a simple method of remembering and visiting websites without requiring them to memorise IP addresses in numeric form, such as ‘YouTube.com’.
Ports:
In a networked system, port numbers are used to identify certain processes to which data or messages should be sent.
SOP doesn’t completely eliminate interaction between different origins and CORS is needed to allow a Browser and server to each evaluate whether any specific interaction may pose a threat and if not, allow it.
Cross-Origin Resource Sharing (CORS)
In this section, we will look at the concept of Cross-Origin Resource Sharing (CORS).
Websites from several domains may need to work together occasionally. Cross-Origin Resources Sharing, or CORS, is used in this situation. Consider it as a unique invitation from one apartment to another, outlining the resources and circumstances that the neighbor is permitted to use.
CORS is a mechanism that uses HTTP headers to define origin that browser permit loading resources. It makes use of two HTTP headers:
a. Access-Control-Allow-Origin header: In response to a request from a different origin, the server sends the Access-Control-Allow-Origin header.
It specifies the origins that are allowed access to the resource.
i. Access-Control-Allow-Origin header: * (wildcard)
Grants access to all origins, regardless of their domain, protocol, or port.
Example: Access-Control-Allow-Origin: *
ii. Access-Control-Allow-Origin header: <origin>
Limits access to a single, explicitly allowed origin.
Example: Access-Control-Allow-Origin: https://www.example.com
iii. Access-Control-Allow-Origin header: null
Denies access to all origins, even the origin that made the request.
Example: Access-Control-Allow-Origin: null
b. Access-Control-Allow-Credentials header: The Access-Control-Allow-Origin-Credentials response header allows cookies or any other user credentials to be included in cross-origin requests.
The Same Origin Policy (SOP) and Cross-Origin Resource Sharing (CORS) are essential cybersecurity measures. By preventing web pages from requesting content from domains other than their own, SOP acts as a strong defence against attacks such as cross-site scripting (XSS) and cross-site request forgery (CSRF). This built-in security layer prevents private user information from getting into the wrong hands. As for CORS, it serves as a regulated gateway that, when specifically allowed by the server, allows some cross-origin requests. This selective relaxation of SOP makes it easier for web apps to communicate securely with a variety of sites while guaranteeing that sensitive data may only be accessed and altered by authorised parties.
And that’s the SOP and CORS 101 rundown. Just remember, with great power comes great CORS-ponsibility.