In computing, the same origin policy is an important concept in the web app security model. Under the policy, the web browser allows scripts contained in the first web page to access data on the second web page, but only if both web pages have the same origin . Origin is defined as a combination of URI scheme, hostname, and port number. This policy prevents malicious scripts on one page from gaining access to sensitive data on other web pages via the Document Object Model of that page.
This mechanism has certain significance for modern web applications that rely heavily on HTTP cookies to maintain authenticated user sessions, because the server acts on the HTTP cookie information to disclose sensitive information or take actions that change the state. Strict separation between content provided by unrelated sites should be maintained on the client side to prevent loss of data confidentiality or integrity.
Video Same-origin policy
Histori
The same origin policy concept dates back to Netscape Navigator 2 in 1995. This policy was originally designed to protect access to the Document Object Model, but has since been extended to protect the sensitive parts of the global JavaScript objects.
Maps Same-origin policy
Implementation
All modern browsers apply some form of the Origin Policy as this is an important security foundation. Policies are not required to match the exact specification but are often extended to define compatible security limits together for other web technologies, such as Microsoft Silverlight, Adobe Flash, or Adobe Acrobat, or for mechanisms other than direct DOM manipulation, such as XMLHttpRequest.
Set rule of origin
The algorithm used to calculate the "origin" of the URI is specified in RFC 6454, Section 4. For the absolute URI, the origin is triple {protocol, host, port}. If the URI does not use hierarchical elements as a naming authority (see RFC 3986, Section 3.2) or if the URI is not an absolute URI, then a unique global identifier is used. Two resources are considered to come from the same source if and only if all these values ​​are exactly the same.
To illustrate, the following table provides a typical results overview for checking the URL " http://www.example.com/dir/page.html ".
Unlike other browsers, Internet Explorer does not include ports in the original tally, using the Security Zone in its place.
Security App
The same origin policy helps protect sites that use authenticated sessions. The following example illustrates potential security risks that can arise without the same origin policy. Assume that the user visits the banking website and does not sign out. Then, the user goes to another site that has some malicious JavaScript code that runs in the background requesting data from the banking site. Since users are still logged in on banking sites, malicious code can do anything a user can do on a banking site. For example, he can get a list of last user transactions, create new transactions, etc. This is because the browser can send and receive session cookies to banking sites based on the domain of the banking site.
Users visiting malicious sites will expect that the sites they visit do not have access to a banking session cookie. While it's true that JavaScript does not have direct access to a banking session cookie, it can still send and receive requests to banking sites with a cookie session banking site. Because scripts can basically do the same thing as users do, even CSRF protection by banking sites will not work.
Loosen the same origin policy
In some circumstances, the same origin policy is too restrictive, causing trouble for large websites that use multiple subdomains. Initially, a number of solutions such as using fragment identifiers or properties window.name are used to pass data between documents that reside on different domains. The modern browser supports many techniques to relax the same policy in a controlled way:
document.domain property
If two windows (or frames) contain scripts that assign domains to the same value, the same origin policy will be relaxed for these two windows, and each window can interact with others. For example, a collaboration script in a document loaded from orders.example.com and catalog.example.com might set their document.domain property to "example.com", thus making the document appear to have the same origin and allow each document to be read for a property that other. This property setting implicitly sets the port to null, which most browsers will interpret differently from port 80 or even an unspecified port. To ensure that access will be allowed by the browser, set document.domain properties of both pages.
Distribution of Cross-Source Resources
The second technique to loosen the same origin policy is standardized as Cross-Origin Resource Sharing. This standard extends HTTP with the new Origin header request and the new Access-Control-Allow-Origin response header. This allows the server to use headers to explicitly specify where you can request files or use wildcards and allow files to be requested by any site. Browsers like Firefox 3.5, Safari 4, and Internet Explorer 10 use this header to allow cross-origin HTTP requests with XMLHttpRequest that should have been banned by the same origin policy.
Cross-document messaging
In another technique, cross-document submission allows scripts from one page to deliver text messages to scripts on other pages regardless of the origin of the script. Calling the postMessage () method on the Window object asynchronously activates the "onmessage" event in that window, triggering a user-specified event handler. A single page script still can not directly access methods or variables on other pages, but they can communicate securely through this messaging technique.
JSONP
JSONP allows the page to receive JSON data from a different domain by adding the & lt; script & gt; to pages containing JSON responses with callbacks from different domains.
WebSockets
Modern browsers will allow scripts to connect to WebSocket addresses without enforcing the same origin policy. However, they recognize when WebSocket URI is used, and inserts a Origin: header into a request that indicates the origin of the script requesting the connection. To ensure cross-site security, the WebSocket server must compare header data with the original whitelist allowed to receive replies.
Case and exclusion angle
Similar checking behavior and related mechanisms are not well defined in some corner cases such as for pseudo-protocols that do not have a clear host or port name associated with their URL (file:, data: etc.). This has historically led to a number of security issues, such as the generally unwanted capabilities of locally stored HTML files to access all other files on the disk, or communicate with any site on the Internet.
Additionally, many older cross-domain operations that precede JavaScript are not subject to inquiry; one example is the ability to include scripts across domains, or submit a POST form.
Finally, some types of attacks, such as DNS rebinding or server-side proxies, allow host name checking to be partially subverted, and allow malicious Web pages to interact directly with sites through addresses other than their "original", canonical origin. The impact of the attack is limited to very specific scenarios, because the browser still believes that it interacts with the attack site, and therefore does not disclose third party cookies or other sensitive information to the attacker.
See also
- Cross-source resource sharing
- Creating cross-site scripts
- Cross-site request forgery
- Cross-document messaging
- Content Safety Policy
References
External links
- A detailed comparison of multiple policy options
- Review of deficiencies in the same policy and their implications for web security on Wayback Machine (archived February 11, 2007)
- Sample provided by vendor with originality policy specification
- Definition of HTML5 from Origin
- W3C Articles on the Same Policy of Home
- RFC 6454 on the Concept of a Web Origin
- Blog post: The Same Cookie Origin Policy
Source of the article : Wikipedia
0 Comments