Same origin (Security related)

A policy for granting access across window boundaries.

The same origin policy is a foundational concept as far as browser security is concerned. Put simply, it states that a script can access the contents of another window or frame if the HREF for that target was loaded from the same host at the same IP port number and with the same protocol.

This ensures that http: pages cannot read https: content and that pages served by a web server on port 80 cannot read values from a potentially different web server on port 8080 for example. Both of those also require that the host be the same.

This can be circumvented with UniversalBrowserRead privilege which allows properties to be read from windows containing objects that were from a different origin. The UniversalBrowserWrite property allows those objects with a different origin to be modified. Granting both would allow a script to read and write properties in a window with a different origin.

The same origin policy applies to most but not all properties of a window. It does apply to almost every property belonging to a document object.

You can allow documents from different origins to access properties belonging to your window and document but you need to provide a public API to let them do this. You can alias the private properties by publishing them as user-defined values.

You can also relax the same origin policy as far as hostnames are concerned by setting the domain property. You could set the domain value inside a document as long as it is a genuine fragment of the host name. If you do this in two documents, both served from different hosts belonging to a higher level domain that is the same, the same origin policy is relaxed when the domain value is identical for both documents.


See also:export, import, Security policy, Signed scripts, UniversalBrowserAccess, UniversalBrowserRead, UniversalBrowserWrite