Security Testing 简明教程

Security Testing - Same Origin Policy

同源策略 (SOP) 是 Web 应用程序安全模型中的一项重要概念。

What is Same Origin Policy?

根据此策略,它允许从同一站点上获取的页面上运行的脚本,这些站点可以是以下各项的组合 −

  1. Domain

  2. Protocol

  3. Port

Example

The reason behind this behavior is security. If you have try.com in one window and gmail.com in another window, then you DO NOT want a script from try.com to access or modify the contents of gmail.com or run actions in context of gmail on your behalf.

Below are webpages from the same origin. As explained before, the same origin takes domain/protocol/port into consideration.

Below are webpages from a different origin.

  1. [role="bare"]http://www.site.co.uk(another domain)

  2. [role="bare"]http://site.org (another domain)

  3. [role="bare"]https://site.com (another protocol)

  4. [role="bare"]http://site.com:8080 (another port)

Same Origin policy Exceptions for IE

Internet Explorer has two major exceptions to SOP.

  1. The first one is related to 'Trusted Zones'. If both domains are in highly trusted zone then the Same Origin policy is not applicable completely.

  2. The second exception in IE is related to port. IE does not include port into Same Origin policy, hence the [role="bare"]http://website.com and [role="bare"]http://wesite.com:4444 are considered from the same origin and no restrictions are applied.