Google
 
   
Login
Username:

Password:


Lost Password?

Register now!
Search

Advanced Search
Main Menu
top books
Polls
What do you think about php-deluxe.net?
Excellent!
Cool
Hmm..not bad
What the hell is this?
encyclopedia
Cmd.exe
Linux Professional...
Open source funding
Extensible...
Concealed carry (USA)
Fatmouse
Ransom Love
recommendation
compare webbrowser
Freenet DSL
Who's Online
4 user(s) are online (3 user(s) are browsing encyclopedia)

Members: 0
Guests: 4

more...
browser tip
Unix Befehle
manual of unix befehle
recommendation!
Sponsored
partner

Same origin policy

In Computing, the same origin policy is an important computer security measure for client-side scripting (mostly JavaScript). The policy dates from Netscape Navigator 2.0, with necessary coverage fixes in Navigator 2.01 and Navigator 2.02. It prevents document or script loaded from one origin from getting or setting properties of a document from a different origin.

=Access restriction=

The philosophy of the same origin policy is simple: it is not safe to trust content loaded from any websites. As semi-trusted scripts are run within the sandbox (security), they should only be allowed to access resources from the same website, but not resources from other websites, which could be malicious.

The term origin is defined using the domain name, Internet Protocol and port (computing). Two pages belong to the same source if and only if these three values are the same. To illustrate, the following table gives examples of origin comparisons to the Uniform Resource Locator http://www.example.com/dir/page.html .

By using relative URLs and limiting the use of URL in the same origin, this restriction can be easily avoided.

=Overcoming access restriction=

It is possible to overcome this restriction by signing the script. However, in practice signed script is rarely used. This is mainly because not everyone can afford digital signature, especially not casual web developers. Also, even if the script is signed, a prompt window would appear whenever the script required access to extended privileges. This is another security measure as signed script is by no mean a trustable script: it is trusted that the script comes from that origin, but it is still unknown about what the script really does.

=Vendor adoption=

This policy is used in all major web browsers that support client-side scripting, with the exception of Internet Explorer which insists on using its own security zones .

=See also=

*Signed script policy

=External links=

*[http://www.mozilla.org/projects/security/components/same-origin.html JavaScript Security: Same Origin (Mozilla)] *[http://www.jsdir.com/red/jssecurity.pdf JavaScript Security in Communicator 4.x (PDF)] *[http://jpspan.sourceforge.net/wiki/doku.phpid=(script removed)xmlhttprequest:behaviour#security Violating Same Origin Policy with XMLHttp: Cross-Browser Differences (SourceForge Wiki)] *[http://www.devarticles.com/c/a/JavaScript/JavaScript-Security/1/ Second page of an article on JavaScript Security (focuses on Same Origin issues)]