What’s Same Origin Policy?
Aug 15th, 2008 by Micheal
phpBB.com recently started a phpBB Blog and one of the posts is by a developer explaining some of the garbage reports they have to put up with.
In the post I’m talking about, the developer lists a few bogus reports and more than once mentions something called “same domain policy.” Another more common name for this is called Same Origin Policy. Basically what this means is that the browser executes code within a sandbox and if code tries to run outside the domain of the website, it gets flagged is not being of the same origin, and doesn’t get executed. Clear as mud? Yeah, I thought so. Let’s look at this a little differently then.
Note I did not say domain name, but domain. While you could technically say they are the same thing and be right most of the time, this time you are not. What I mean by domain is its other meaning. 
Domain in this case not being math-related, but rather something similar. This being that the domain is restrictive.
So here is how it works. Let’s say I have JavaScript on me.example.com. Same Origin Policy would not allow it to escape me.example.com, to say, you.example.org, or me2.example.com, or me.example.com:8080. This distinction is important. SOP differentiates between me.example.com and me2.example.com as well as different ports. While they have the same domain name, they are different “hostnames.” However, I can set document.domain, and allow the JavaScript to escape only to .example.com. This means I could escape the SOP for my domain (this time referring to the name) to the root. Mozilla calls this hostname when you have me.example.com. I disagree with that, but it is an easy way to think of it.
Still confused? Try this. JavaScript on the hostname me.example.com is bound by the SOP and cannot talk to example.org. This is its sandbox. However, by setting document.domain, JavaScript on me.example.com can talk to me2.example.com, but not example.org. However, there are a few things that are exempt from the SOP. Mozilla has them listed:
Set Location (but not location.host, etc.)
History.go(), History.back(), etc.
Document.write()
Window and frame objects
To wrap up, the Same Origin Policy is a measure to keep things inside a sandbox and prevent execution from places it doesn’t belong. It doesn’t have to be JavaScript, but can also be Java, Flash, and so on. If you want additional reading, try these sites:
http://blog.sweetxml.org/2007/11/javascript-security-model-same-origin.html
http://www.mozilla.org/projects/security/components/same-origin.html
http://www.mozilla.org/projects/security/components/sectalk/slide4.xml
http://www.mozilla.org/projects/security/components/sectalk/slide5.xml
[...] Custom Search « What’s Same Origin Policy? [...]