Can someone help me to better understand the Same Origin Policy. I've seen several websites describing it but I'm looking for an explanation much more simple, how would you describe it to a kid?
This link seems to do the best job that I've found. Can anyone expand? Can someone explain why this policy exists?
Same-origin policy is needed to prevent CSRF. Imagine this scenario:
var xhr = new XMLHttpRequest(),
data = "from="+victimAccount
+ "&to="+jacksAccount
+ "&amt=a+gazillion+dollars";
xhr.open("POST", "http://tbtfbank.tld/accounts/wiretransfer.aspx", true);
xhr.send(data);
And Jack could have just as easily used the same technique to harvest thousands of account numbers and pins or any other information Joe the bank manager has access to via his account.
Luckily, the same-origin policy protects us from these types of attacks most of the time, since Jack's malicious page is hosted on a different domain from the bank application, it's not allowed to make XHRs to the bank application. Though the malicious page could still contain an image that makes a GET request to the bank application, so it's important that actions with side effects are not initiated via GET requests and that applications check the referrer header of requests they receive and take advantage of anti-CSRF tokens.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With