Questions tagged [same-origin-policy]
The same-origin-policy is one of several models that web browsers use to determine which JavaScript files in a webpage should be executed. This is determined by the domain (the origin).
153
questions
1
vote
1
answer
174
views
SOP (Same Origin Policy) and CDN SVG XSS
If an SVG file with an XSS payload is hosted on say cdn.example.com and is loaded as a display picture on say mainprod.com, can the XSS payload within the SVG file access and steal cookies from ...
1
vote
1
answer
440
views
Is prohibiting cookies a viable CORS alternative?
I have been using lots of various APIs in my frontend lately and they all have to be properly configured with CORS and the browser always do extra OPTIONS request that only make debugging harder.
I ...
0
votes
1
answer
111
views
Why does the DOM single-origin policy take into account protocol and port? What if it was just domain?
I'm learning the basics of network security and am trying to really understand the single origin policy. I was wondering what the vulnerabilities would be if an origin was only defined by domain, as ...
2
votes
3
answers
364
views
Why don't browsers' same-origin policies allow anonymous cross-origin requests?
Generally I've read the motivation for browser same-origin policies is to prevent data being obtained by an attacker because of the sending of credentials in a cross-origin request, and that if you're ...
2
votes
0
answers
102
views
Auth Token not included in CORS exploit [closed]
I have found a CORS on a website but when I am trying to exploit it for a POC it is fetching all the cookies except auth cookies and due to that I am getting an error message to "User not logged ...
4
votes
1
answer
373
views
What does COEP do that CSP doesn't already do?
Both Cross-Origin-Embedder-Policy and Content-Security-Policy seem to do pretty similar things: they restrict the document from loading certain types of subresources (e.g. cross-origin subresources). ...
1
vote
2
answers
1k
views
Is my understanding of CSRF, SOP and CORS correct (Express / React)?
I am a hobby developer and am developing an application with a Node JS / Express backend and a React frontend.
I am currently learning about Cross Site Request Forgery (CSRF), and I want to make sure ...
3
votes
2
answers
3k
views
If browser cookies aren't shared between different websites, then why is Same origin Policy useful?
I'm a beginner to Web security and I recently started reading about Same Origin Policy and it's usefulness in preventing a malicious website from interacting with a secure website being used by a user....
0
votes
1
answer
688
views
Why is Content Security Policy necessary given Same Origin Policy?
Given that Same Origin Policy prevents JavaScript from one origin from running in another origin and accessing another origin's cookies, why is CSP necessary?
Is it that CORS selectively removes some ...
0
votes
1
answer
958
views
COOP and COEP: Is there an advantage to enabling COOP / COEP if I don't need to use the sharedArrayBuffer or other features?
COOP: cross origin opener policy
COEP: Cross origin embedder policy
Most of the articles on the web, related to COOP / COEP, point to the fact that by enabling COOP / COEP , your web page can use the ...
2
votes
3
answers
1k
views
Does SOP prevent a class of CSRF attacks?
Just want to settle a debate I'm having with someone.
Suppose there is no SOP. Via an XSS exploit, code can run on website A.com and submit an XHR request to B.com. Suppose B.com stores an auth token ...
0
votes
1
answer
289
views
Is the "same-origin" implied when using "frame-ancestor" in the CSP header?
If my Content-Security-Policy is set to the following:
Content-Security-Policy: frame-ancestors 'self'
Does it also imply:
Content-Security-Policy: default-src 'self'
Or is it a lot safer to put ...
0
votes
1
answer
601
views
Securing a Websocket Connection in case of XSS Vulnerability
Goal
Authenticate the Client via HTTP Request.
Authenticate the Client's WebSocket connection.
Prevent exploitation of WebSocket connection(when a XSS Vulnerability is present on website).
How I'm ...
2
votes
1
answer
305
views
Would "same-origin cookies" make sense?
I have read Incrementally Better Cookies, a couple of web.dev articles and tried to google for "same-origin cookies" but could not find anything so I wonder if this is being worked on.
...
0
votes
1
answer
177
views
How do applications which are integrated using a javascript client side sdk, secure their data or disallow spam?
Take an example of google maps. google maps provides a javascript client SDK, which means any web app running javascript can access the google maps sdk. You need to use an API_KEY so that google can ...