The Same-Origin Policy and CORS

Anton Ioffe - September 24th 2023 - 19 minutes read

In this spotlight piece, we take a deep dive into the complex domain of web security, as we thread through the intricate workings of the Same-Origin Policy (SOP) and Cross-Origin Resource Sharing (CORS) in JavaScript development. Web security finds its roots in these concepts, and our understanding of how they shape our applications is paramount. Beyond theoretical musings, we provide a practical exploration of these topics, with real-world code snippets and case studies as companions.

Our voyage begins with untangling the concepts of SOP and CORS, unravelling their mechanisms, and exploring their dynamic roles in modern web development. Yet, we go further, examining the practical scenarios in which these security measures are employed, from simple to preflighted CORS requests, and understand how they contribute to creating secure web experiences.

Peeling back layer after layer, we explore grey areas in CORS implementations, counter CSRF and XSS attacks, and scrutinize the interplay between SOP, CORS, and DOM API in the context of JavaScript. This insightful journey is balanced with an exploration of potential vulnerabilities and the importance of robust configuration. Whether you're a seasoned web developer or on your way to becoming one, this in-depth exploration serves to enrich your understanding, and equip you for the challenge of creating secure, high-performance JavaScript applications. Let's delve in.

Same-Origin Policy - Breaking Down the Walls

The Same-Origin Policy (SOP) is a crucial security feature fundamental to web browsers. It acts as the first line of defense, restricting how scripts or documents loaded from one origin can interact with a resource from a different origin. The principle is straightforward and centers around the concept of 'origin', but its implications are comprehensive, bringing in aspects of the HTTP protocol, cookies, CSRF, and more.

Decoding the 'Origin'

Before delving into the SOP, it is essential to understand what 'origin' means in this context. An origin is defined by three components - the protocol (such as HTTP or HTTPS), the hostname or domain name (like, and the port number (often 80 for HTTP and 443 for HTTPS, among others). In simple terms, the origin is the combination of the scheme, the host, and the port. For instance, and represent the same origin.

In SOP, the origin of the running script is compared with the origin of the requested resource. If they match distinctly, the policy permits script access to the resource. For example, and share the same origin and thus can interact with each other.

The Purpose of SOP

The primary aim of the SOP is to safeguard critical data and prevent potentially catastrophic cross-domain interactions, such as one website stealing data from another. The policy allows scripts on a webpage to access data on another page, but only if both pages share the same origin.

With SOP, documents or scripts from one origin are siloed, unable to interact with resources from a different origin. The isolation serves an essential purpose - protecting sensitive user data. In simple terms, it keeps your browsing experience segregated, ensuring that scripts running on one tab or from a particular source cannot interact with or access data loaded in another tab, iframe, etc., of a different origin.

Interaction with Cookies

The SOP also plays a vital role when it comes to interaction with cookies. Generally, cookies are tied to a specific domain, which means a cookie set by a specific domain cannot be accessed by another domain due to the SOP. So, when a user logs into a service like an email client, only requests that originate from the same domain can access the cookies associated with that domain. This protects the user's sensitive data stored in cookies from being exposed to requests from a different origin.


In some cases, SOP alone isn’t enough to protect our applications — the Cross-Site Request Forgery (CSRF) flaw is an excellent example of that. CSRF can trick victims into performing actions they didn’t intend to, often leading to unwanted results. Here, SOP is not restrictive enough to avoid such situations as it won’t prevent sending requests to different origins but only restricts reading the responses from them.

However, the existence of SOP can make CSRF attacks less dangerous. Without SOP, malicious scripts could easily read the response of a CSRF attack, potentially exposing sensitive data. While SOP doesn't stop the request, it does prevent the reading of responses from other origins, adding a crucial line of defense.

In conclusion, the Same-Origin Policy is a steadfast guard in the world of web development, ensuring that potential vulnerabilities and exploit vectors are kept at bay. However, it’s the judicious and due diligence practices of us–the developers, which can fortify the security further. Regardless of SOP’s limitations, it undoubtedly plays a vital role in web security. Are there possibilities for you to further reinforce the SOP’s implementation in your current web application?

CORS - Bridging Origins without Compromising Security

CORS - Bridging Origins without Compromising Security

Web development in the modern era encounters a fascinating challenge. As the applications have become more interactive and powerful, it has become increasingly necessary for distinct elements of these applications, potentially originating from disparate domains, to communicate with one another. This brings forth an installed boundary in web security known as the same-origin policy or SOP. Thankfully, a mechanism exists to allow a controlled circumvention of this policy: Cross-Origin Resource Sharing or CORS.

Relaxation of SOP with CORS

CORS allows web pages to make requests to different domains, essentially relaxing the limitations enforced by SOP. This feature is beneficial in scenarios where web pages need to access resources that do not originate from the same domain. For instance, if a webpage hosted at needs to make a request to a server located at, it can do so, given CORS settings are appropriately configured at the server end.

Key Mechanism of CORS

The brilliance of CORS lies in its mechanism. When a client-side application initiates a request, it indicates the request origin by adding an Origin header. Once the server receives the request, it evaluates this Origin against its CORS policy. If approved, the response from the server includes the Access-Control-Allow-Origin header validating the client-side that the request was indeed legitimate.

Through this exchange of HTTP headers, CORS successfully establishes a secure channel for cross-origin interactions between clients and servers without compromising the site security.

Safe CORS Implementation

Even though CORS provides a way to relax SOP and facilitate necessary cross-domain requests, its misuse can potentially lead to vulnerabilities. An improperly configured CORS opens the window for potential cross-domain attacks.

To avoid such issues and implement CORS safely, care should be taken not to set the Access-Control-Allow-Origin field to the wildcard *, allowing requests from any domain. This setting should instead be configured explicitly to list the trusted origins. Especially when credentials are involved, such as Cookies or Authorization headers, the origins should be explicitly whitelisted, thus eliminating any possible intrusions.

Taking Advantage of CORS in Web Development

In essence, while CORS offers a powerful toolset for developers to bypass SOP restrictions and interact with resources across domains, emphasis must be placed on carefully crafting the security policies and ensuring the application is secure.

CORS represents a meticulously implemented security booth at the "bridge" between origins, allowing secure passage only to authenticated and authorized requests, keeping potential threats at bay. Implemented properly, it can be an incredibly potent tool that allows developers to access the full potential of their multi-domain applications without sacrificing an ounce of security.

How can you leverage CORS in your current or future projects to facilitate cross-origin interactions without sacrificing security? Can you think of situations where a meticulously configured CORS could be the key to a secure and fully functional multi-domain application?


CORS Harnessing - In-depth Insights into Simple and Preflight Requests

The Art of CORS Requests: Simple VS Preflight

Cross-Origin Resource Sharing (CORS) serves as a gateway that enables controlled interaction between resources from different origins, thereby extending the same-origin policy (SOP). In the world of CORS, two types of requests emerge: simple requests and preflighted requests. Let's delve into these two types, their unique factors and the ways they operate with HTTP methods, response headers, and custom headers.

Simple Requests

A simple request, as the name suggests, is a straightforward CORS request initiated without any prechecks or preliminary validations. These requests typically employ HTTP methods such as GET, POST, or HEAD, coupled with content types such as text/plain, application/x-www-form-urlencoded, or multipart/form-data. In this approach, the browser automatically appends an 'Origin' header, signifying the request's source origin.

When the server receives this 'simple' CORS request, it inspects the 'Origin' header and decides whether to permit the request, based on its implementation and the access-control policies. If the server approves the request, it responds by adding an Access-Control-Allow-Origin header.

This kind of approach has its merits and drawbacks. The simplicity in the operation makes it efficient, thereby enhancing performance. However, it lacks the robust scrutiny of a preflighted request which might hinder complex transactions and high-risk data sharing.

Example of a simple CORS request:

// Example of Simple Request
[fetch('', {](
  method: 'GET'      
.then(response => response.json())
.then(data => console.log(data))
.catch(err => console.error(err));

Preflighted Requests

On the other side of the spectrum are preflighted requests, which follow a two-step process, a preliminary 'preflight' request followed by the actual CORS request. Preflight requests are mandatory for HTTP methods other than GET, HEAD or POST or if the content types differ from those listed for simple requests.

The preflight request is an OPTIONS request sent to the server to verify whether the actual request can proceed or not. It includes headers that provide details about the subsequent request, such as the HTTP method, custom headers, or the Content-Type.

Once the server receives this preflight request, it validates the 'Origin' and returns a response indicating whether the actual request is permitted. If permitted, then the browser initiates the actual CORS request. This enhances the security of CORS transactions by adding an additional layer of verification.

Example of a preflighted CORS request:

// Example of Preflighted Request
fetch('', {
  method: 'POST',
  headers: {
    'Content-Type': 'application/json'
  body: JSON.stringify({ widget: 'new widget'}),
.then(response => response.json())
.then(data => console.log(data))
.catch(err => console.error(err));

However, preflighted requests add an additional round-trip to the server, thus increasing overall latency. This might not be as optimal for smaller, frequent requests, where performance is a primary concern.

CORS: A Fine Balancing Act

In conclusion, while CORS plays an essential role in managing cross-domain communications, selecting between simple and preflighted requests requires a trade-off between performance and security. On one side, simple requests provide a quicker, less complex implementation channel. On the other side, preflighted requests ensure stringent control and robust security. Understanding the distinction, pros, and cons of each type and applying them wisely in your web applications can lead to a harmonious balance between cross-domain interactions and security.

Advanced CORS Configurations - Tailoring Cross-Domain Interactions

For tailored cross-domain interactions, the CORS or Cross-Origin Resource Sharing specification provides numerous HTTP headers that grant fine control over such interactions. Understanding how to configure these properly is vital, lest any missteps lead to vulnerabilities, performance issues, or other security risks.

Among the primary HTTP headers developers must familiarize themselves with is the Access-Control-Allow-Origin (ACAO). This header instructs the browser about which domains are permitted to access a particular resource. Specifying the right origins here is of paramount importance. Straying from the white-list approach and opting for allowing all domains (*) may inadvertently expose sensitive data. Also, neglecting to include protocol or non-standard ports ( may cause problems. Validating origins rather than dynamically reflecting is recommended, as it prevents potential exploits.

// ACAO Header with Explicit Origin
res.setHeader('Access-Control-Allow-Origin', '');

// ACAO Header with Wildcard
res.setHeader('Access-Control-Allow-Origin', '*'); // NOT recommended

A common pitfall when working with these configurations is using wildcard selection (* While intuitively it might seem an effective way to allow all subdomains access, this is misconstrued as this approach is not part of the CORS specification. The wildcard here implies allowance for all domains which can lead to a severe security shortfall.

Beyond the ACAO header, there are other important headers to note such as Access-Control-Expose-Headers. This header is particularly important if any custom headers are being used in the response. By default, CORS requests expose only a few headers (Cache-Control, Content-Language, Content-Type, Expires, Last-Modified, Pragma). If a response contains other headers, the Access-Control-Expose-Headers should specify them so they won't be hidden in the browser.

// Exposing Custom Headers
res.setHeader('Access-Control-Expose-Headers', 'X-My-Custom-Header, X-Another-Custom-Header');

When it comes to caching, the Vary response header plays a significant role. This header informs caching servers that responses from your server can vary based on the origin of the request. With proper configuration, this can provide a boost to performance by ensuring that the correct cached responses are served to the correct origins. However, an oversight in specifying the Origin in the Vary response header can lead to incorrect cache handling and potential leaks between origins.

// Using Vary Header
res.setHeader('Vary', 'Origin');

In conclusion, tailoring CORS configurations for cross-domain interactions gives developers a powerful set of tools to control how resources are shared. However, failing to execute these configurations correctly can lead to several issues. Understanding the implications behind each HTTP header and how they interact is a prerequisite for managing safe and efficient cross-domain interactions.

Could you safely alter these CORS configurations on your current projects given these risks and benefits? How might concrete understanding of these configurations help you build more secure applications in the future? Remember, strategic application of CORS configurations can improve performance and security.

JavaScript Context - Interplay between SOP, CORS, and DOM API

The security of a modern web app greatly depends on how it handles JavaScript, DOM API, Same-Origin Policy (SOP), and Cross-Origin Resource Sharing (CORS). These four items interact continuously, forming what we can call the JavaScript context, that balances functionality, accessibility, and security.

In order to understand the dynamic interplay within the JavaScript context, we first need to understand the roles each component plays.

The Role of JavaScript and the DOM API

JavaScript is the scripting language that drives most of today's web application functionality. It interacts with the Document Object Model (DOM), an API provided by the browser, to manipulate HTML and CSS, creating dynamic content. But with power comes responsibility and security challenges, mainly because it can potentially grant access to cross-domain resources.

The Role of SOP

Enter the SOP. Introduced by Netscape, SOP restricts JavaScript's access to cross-origin resources. The purpose of SOP is to prevent attacks originating from other websites that could steal private data or manipulate functionality. SOP enforces a simple rule: a script running on a web page may only interact with resources originating from the same domain.

The Role of CORS

However, web applications constantly need to access resources from other domains. Majorly blocking cross-domain interactions with SOP could adversely affect the user experience. This is where CORS comes in. CORS is a mechanism that extends SOP, providing controlled access to resources located outside a web domain. This adds flexibility to interacting with cross-domain resources without heavily compromising security. It's an agreement between the browser and server: The server tells the browser it's okay to allow a page from another domain to make a request.

Now that we've established a basic understanding of these roles, let's discuss the intricate web they form within the JavaScript context.

JavaScript and the DOM API enable the rendering and functionality of an application. The SOP, which is implemented and respected at the browser level, sets a boundary that JavaScript cannot cross. However, JavaScript can still issue requests to other domains, it just can't access the responses–that would be a potential security vulnerability.

This is where CORS steps in, acting as a negotiator between the JavaScript and the server where the requested resource lives. If properly configured on the server side, CORS sets policy that allows certain cross-origin responses to be accessed by JavaScript.

This intricate balancing act enhances both the functionality and security of a modern web application.

But, does it mean all is well and secure in the realm of JavaScript context?

It's noteworthy that even with SOP and CORS in operation, security challenges still exist. One such area lies in JavaScript APIs like iframe.contentWindow, window.parent,, and window.opener that allow documents to directly reference each other. When two documents do not have the same origin, these references provide very limited access to Window and Location objects. These APIs provide certain opportunities for security breaches if not handled well.

Therefore, developers need to understand the JavaScript context thoroughly, not just for creating user-friendly and dynamic web applications, but also to ensure data privacy and application security.

So, when starting on a new web development project, consider how your JavaScript interacts with DOM API, SOP and CORS. Think about how to utilize these interactions for your benefit while avoiding potential security pitfalls. Remember, maintaining a balance in this complex JavaScript context is key.

Exploring Grey Areas in CORS Implementations

As developers, it's crucial to understand and implement effectively the concept of Cross-Origin Resource Sharing (CORS) in web applications. CORS is a security mechanism, offering necessary flexibility against the restrictive same-origin policy (SOP) in modern browsers. Browsers' default behavior is to impose restrictions on cross-origin HTTP requests from our scripts using AJAX methods. SOP insists that interactions between web resources must share the same origin, thereby limiting dangers of malicious scripts.

However, there are numerous grey areas facing developers implementing CORS. This often results in common pitfalls and vulnerabilities, contributing to lenient configurations, which could lead to cross-origin attacks, especially if CORS policies are not correctly configured and implemented.

Lenient CORS Configurations and Vulnerabilities

A common lapse by developers is overly broad CORS settings in an attempt to allow trusted cross-origin requests. This is usually a product of incorrect implementation of CORS or failure to limit the Access-Control-Allow-Origin (ACAO) header to trusted domains only.

Take for example this JavaScript snippet:

  origin: '*'

Here, the ACAO header allows access from all origins. Such a lenient configuration can potentially expose sensitive data to malicious domains. The proper approach is to specify trusted domains. For instance, if your application should only receive requests from '', your configuration should be as follows:

  origin: ''

Origin Reflection Vulnerability

Another possible risk comes with implementing origin reflection. If an application takes the incoming Origin header from a client-side request and mirrors it back in the ACAO response header, it appears to satisfy the browser’s CORS policy. This technique creates a potential loophole for attackers, who can manipulate the Origin header.

Looking at this PHP code snippet:

header('Access-Control-Allow-Origin: '.$_SERVER['HTTP_ORIGIN']);

This configuration poses a potential risk as it dynamically accepts any origin without validation. To prevent such CORS vulnerabilities, it is preferred not to use dynamic reflection but instead maintain a list of trusted domains from which cross-origin requests are allowed.

Whitelisting Null Origins

Unexpected consequences arise in situations where 'null' is whitelisted within the ACAO. Related to sandboxed requests and internal documents, the 'null' origin might get misused in potential attacks.

Consider the following configuration:

  origin: 'null'

This configuration leaves room for manipulative attacks. It is advisable to avoid such configurations and set ACAO to specifically trusted domains only.

Avoid Wildcards in Internal Networks

In internal networks, wildcards are often used in ACAO headers, a practice that ought to be avoided. Even though network configuration might be trusted, this is not sufficient protection when internal browsers can access untrusted external domains, leading to potential cross-domain attacks.

CORS and Server-side Security Policies

While CORS is a powerful tool for controlling browser behavior related to cross-origin requests, developers should remember that it's not a replacement for server-side security policies. Sensitive data should still enjoy the protection of traditional server-side defenses such as authentication and session management.

In conclusion, CORS is not an absolute defense mechanism against cross-origin attacks but exists to complement other security protocols. It provides developers controlled access for web resources beyond their domain but needs careful implementation. Attention to configuration, validating incoming origin requests, and sticking to trusted domains helps prevent potential CORS misconfigurations and related attacks.

Beating CSRF and XSS - Lessons from SOP and CORS

The Cross-Site Conundrum: CSRF and XSS

When discussing web security, two common attack vectors that crop up often are Cross-Site Request Forgery (CSRF) and Cross-Site Scripting (XSS). These threats exploit the trusting nature of web applications and misuse it to execute malicious activities for the attacker's gain.

CSRF tricks the victim into submitting a malicious request. It infiltrates the trust a website has in a user's browser, particularly when the user has an active session with cookie data on the site. XSS, on the other hand, involves injecting malicious scripts into vulnerable web applications. The scripts are executed in the browsers of other users, who are innocently using the application, thereby breaching user trust.

The Role of SOP and CORS in countering CSRF and XSS

The Same Origin Policy (SOP) and Cross-Origin Resource Sharing (CORS) play pivotal roles in thwarting CSRF and XSS attacks. SOP isolates scripts running on pages from the same origin, thus restricting an attacker's ability to affect the web application. CORS, which can be seen as an extension of SOP, grants web applications the flexibility to allow cross-origin requests in a controlled manner.

Let’s discuss the detailed workings and misuse protection mechanisms that the SOP and CORS provide.

Staving off CSRF with SOP and CORS

With CSRF, an attacker could trick a user into making a request to a site where the user is authenticated. The cookie tied to the site would be included in the request, making it appear legitimate to the unsuspecting web application.

This is where SOP and CORS come in. SOP would restrict a web-page from making a request to a different domain, hence eliminating the possibility of a CSRF attack. CORS, if implemented correctly, would only allow cross-domain requests from trusted origins. CORS strict mode even rejects any request with credentials unless the access control list for a server includes the specific origin.

Still, website developers shouldn't solely rely on SOP and CORS for CSRF protection. As a rule of thumb, implementing unguessable CSRF tokens along with SOP and CORS can enhance the security against CSRF attacks.

function generateCsrfToken(){
    // Here, we generate a csrf token to be sent along with every form and AJAX request
    let csrfToken = crypto.randomBytes(32).toString('hex');
    // The csrf token can be stored as a cookie or in session storage
    document.cookie = `csrfToken=${csrfToken}; path=/`;

This function generates a random token every time the user submits a form or sends an Ajax request. This token acts as a secondary verification key, making CSRF attacks much more challenging.

Guarding against XSS with SOP

By standard, SOP should offer protection against XSS attacks by preventing scripts loaded from one origin from obtaining data loaded from another origin. However, if a website permits user-provided inputs to include arbitrary JavaScript code, SOP would not offer protection. Therefore, to safeguard your application from XSS attacks, validate and sanitize all user inputs strictly along with the use of SOP.

function sanitizeInput(userInput){
    // The simplest way to prevent XSS is to remove all '<' and '>' characters from user input
    let sanitizedInput = userInput.replace(/<|>/g, '');
    return sanitizedInput;

This simple function can prevent an attacker from inserting script elements into the website by replacing the < and > characters from input.

Thought Provoking Questions

  1. How would you ensure that your CORS and SOP implementations are robust enough to overcome CSRF and XSS threats?
  2. When would you say relying solely on SOP and CORS for protection against CSRF and XSS becomes a security vulnerability?
  3. What additional measures would you adopt to secure applications against CSRF and XSS threats?

In conclusion, from the above discussions, it's clear that properly implemented SOP and CORS are effective web-security tools against CSRF and XSS. However, developers should always complement these with other precautions, such as sanitizing inputs and using CSRF tokens, to ensure optimum protection.


The article "The Same-Origin Policy and CORS" delves into the concepts of the Same-Origin Policy (SOP) and Cross-Origin Resource Sharing (CORS) in JavaScript development. It explains how SOP acts as a security measure to restrict how scripts or documents from one origin can interact with resources from a different origin, while CORS allows controlled interaction between resources from different origins. The article explores the purpose of SOP, its interaction with cookies and protection against CSRF attacks, and also delves into the mechanism and implementation of CORS.

Key takeaways from the article include the importance of understanding and implementing SOP and CORS properly to ensure secure web development. It emphasizes the need to carefully configure CORS settings to avoid vulnerabilities, such as overly broad configurations and reflection vulnerabilities. The article also highlights the role of SOP and CORS in countering CSRF and XSS attacks, while emphasizing the need for additional security measures such as CSRF tokens and input validation.

A challenging technical task for the reader would be to assess the CORS configurations in their current or future projects and ensure they are properly implemented and secure. The task would involve reviewing the Access-Control-Allow-Origin (ACAO) header settings, avoiding wildcards and whitelisting trusted origins, and considering the use of CSRF tokens and input sanitization to enhance security. The aim of this task is to encourage the reader to critically evaluate their CORS configurations and take steps to strengthen the security of their web applications.

Don't Get Left Behind:
The Top 5 Career-Ending Mistakes Software Developers Make
FREE Cheat Sheet for Software Developers