Get a Pentest and security assessment of your IT network.

Request a quote
Cyber Security

Same Origin Policy: Explained

January 3, 2026

TL;DR

The Same Origin Policy (SOP) is a crucial web security feature that prevents malicious websites from accessing data from different websites you’re logged into. It protects your information by restricting scripts from one origin to access resources from another unless explicitly allowed.

What is the Same Origin Policy?

The SOP is a browser security mechanism. It limits how documents and scripts made available from one origin can interact with resources from other origins. An ‘origin’ is defined by the protocol (e.g., http or https), domain (e.g., example.com), and port (e.g., 80 or 443). If any of these differ, it’s considered a different origin.

Why is the Same Origin Policy Important?

  1. Prevents Cross-Site Scripting (XSS) Attacks: Without SOP, a malicious script injected into one website could steal cookies or sensitive data from another site you’re logged into.
  2. Protects User Data: It safeguards your personal information like login credentials and financial details.
  3. Maintains Website Integrity: Prevents unauthorized modifications to websites you visit.

How Does the Same Origin Policy Work?

Browsers enforce SOP automatically. Here’s a breakdown:

  1. Reading Data: Generally, scripts from one origin can freely read data (e.g., images, CSS) from other origins.
  2. Writing Data: Scripts are typically restricted from writing data to another origin. This includes things like setting cookies or modifying the DOM of a different website.
  3. Making Requests: Scripts can make requests to other origins (e.g., using fetch or XMLHttpRequest), but the browser will block access to the response if it violates SOP.

Example:

// Website A (https://example.com)
fetch('https://anotherwebsite.com/data')
  .then(response => { 
    // This will likely be blocked by the browser due to SOP.
    console.log(response.json());
  });

Ways to Bypass the Same Origin Policy (with caution!)

While SOP is vital, there are legitimate reasons to interact with different origins. These methods require careful consideration of security implications:

  1. Cross-Origin Resource Sharing (CORS): The server hosting the resource you want to access must explicitly allow your origin in its HTTP headers. This is the preferred method.
    • The server adds headers like Access-Control-Allow-Origin to specify which origins are permitted.
    • Example header: Access-Control-Allow-Origin: https://example.com (allows requests from example.com)
    • Using wildcard (*): Access-Control-Allow-Origin: * (allows requests from any origin – use with extreme caution!).
  2. JSONP (JSON with Padding): A legacy technique that uses the