Same Origin Policy in Layman Terms
Can someone help me to better understand the Same Origin Policy. I've seen several websites describing it but I'm looking for an explanation much more simple, how would you describe it to a kid?
This link seems to do the best job that I've found. Can anyone expand? Can someone explain why this policy exists?
Same-origin policy is needed to prevent CSRF. Imagine this scenario:
- Bank manager Joe Fatcat has an account on his bank's administrative backend. This account lets him access confidential account info for anyone who banks at TBtF Bank. He can even reset someone's pin number, transfer funds, change account ownership, etc.
- Now, TBtF Bank lays off Jack the IT Guy. Now he's Jack the Digruntled Ex-IT-Guy, and he wants to take revenge on his former employer. Jack doesn't have access to the bank's administrative backend, but he knows Joe does.
var xhr = new XMLHttpRequest(), data = "from="+victimAccount + "&to="+jacksAccount + "&amt=a+gazillion+dollars"; xhr.open("POST", "http://tbtfbank.tld/accounts/wiretransfer.aspx", true); xhr.send(data);
- The next day, Joe arrives at his office and logs into his administrative account as he always does and leaves the tab open in the background.
- Joe sees an email containing links to pictures of Natalie Portman covered in hot grits. So naturally he clicks on it, opening the malicious webpage.
And Jack could have just as easily used the same technique to harvest thousands of account numbers and pins or any other information Joe the bank manager has access to via his account.
Luckily, the same-origin policy protects us from these types of attacks most of the time, since Jack's malicious page is hosted on a different domain from the bank application, it's not allowed to make XHRs to the bank application. Though the malicious page could still contain an image that makes a GET request to the bank application, so it's important that actions with side effects are not initiated via GET requests and that applications check the referrer header of requests they receive and take advantage of anti-CSRF tokens.
Basically it means - only scripts that are served from the same domain can access each others objects and properties without restriction (so if you have a .js file with named functions defined, you can call it from any other file hosted on the same domain).
So, if you are serving a script from a different domain restriction do apply.