🌍 What is the Same-Origin Policy?

The Same-Origin Policy (SOP) is a security mechanism built into web browsers that restricts how a script loaded from one origin can interact with resources from another origin.

👉 An origin is defined by three components:

• Protocol (http, https)

• Domain (example.com)

• Port (80, 443, etc.)

Two pages have the same origin only if all three match exactly.

Example:

• https://example.com:443/home

• https://example.com:443/profile

✅ Same origin (same protocol, domain, and port).

But:

• http://example.com/home

• https://example.com/home

❌ Different origins (different protocol).

⚔️ Why Do We Need SOP?

Without SOP, any website could:

• Steal your session cookies 🍪 from another site.

• Read sensitive data like emails or bank details.

• Perform unauthorized actions on your behalf.

Example: Imagine you’re logged into your bank in one tab. Without SOP, a malicious site in another tab could read your banking details directly through JavaScript. That’s a nightmare.

SOP prevents this by isolating each site and controlling what resources they can access across origins.

🔑 What SOP Restricts

SOP primarily restricts:

• DOM access → A script from one origin can’t read or modify the DOM of a page from another origin.

• Cookies & Local Storage → They’re bound to their origin.

• AJAX requests (XMLHttpRequest, Fetch API) → Can’t fetch data from a different origin unless allowed.

🚦 When SOP Gets in the Way

While SOP is essential for security, it can also be restrictive for developers. For example:

• A frontend app at

https://myapp.com

• may need data from an API hosted at

https://api.myapp.com

• .

• Since these are different origins, the browser blocks the request.

🌐 Enter CORS (Cross-Origin Resource Sharing)

To safely get around SOP’s restrictions, we use CORS.

• With CORS, the server explicitly allows specific origins to access its resources by sending special HTTP headers.

• Example: Access-Control-Allow-Origin: https://myapp.com.

This way, developers can securely share data across origins without breaking SOP.

🏗️ Real-World Example

• You’re logged into Gmail (https://mail.google.com).

• You also visit a random site (http://malicious-site.com).

• Without SOP, the malicious site could use JavaScript to read your emails directly from Gmail’s DOM.

• Thanks to SOP, this request is blocked, and your emails stay safe.

🔒 SOP and Modern Web Security

SOP isn’t perfect—it has its limitations. That’s why it’s often combined with other mechanisms:

• CORS → To allow controlled cross-origin communication.

• CSRF tokens → To prevent cross-site request forgery.

• Content Security Policy (CSP) → To control what scripts can run.

Together, these create a layered defense that keeps users safe.

🌟 Final Thoughts

The Same-Origin Policy is one of the most important, yet often overlooked, cornerstones of web security.

• It enforces isolation between sites, ensuring one site can’t interfere with another.

• While it sometimes frustrates developers, SOP is the reason we can safely log in to multiple websites in different tabs without worrying about data leaks.

Next time you see a CORS error in your console, remember: it’s SOP doing its job to protect users.

👉 Want more deep dives into web security, DevOps, and modern web frameworks?
Subscribe and stay updated on the tech that powers—and protects—the internet.