Skip to content
Related Articles

Related Articles

What is Same Origin Policy (SOP)?

View Discussion
Improve Article
Save Article
  • Last Updated : 05 Oct, 2021
View Discussion
Improve Article
Save Article

Same origin policy is a browser security feature that restricts a document or script loaded by one origin, to access or interact with documents or scripts from another origin. An origin consists of protocol, host and port. 

For example, consider the following URL:

In the above example “https://” is the protocol, “” is the host and port is “80”. 

Note : By default websites use port 80.

Same Origin Policy is necessary because when the browser makes a HTTP request from a origin to another origin all the associated data i.e cookies, authentication tokens, sessions or any relevant data is sent as part of the request. If the other origin is malicious, it will be able to access all information of the victim user.


If there was no Same Origin Policy in place and you visit a malicious website it would be able to read all messages from your social networking account.

Two origins are said to be same, when they have same protocol, host and port.

Let us compare the origin “” with the origins in the table below.

URL Same Origin? Yes, same protocol, host and port. Only the URL path differs.  Yes, same protocol, host and port. Only the URL path differs. No,  protocol is different. No, host is different. No, host and protocol is different No, port is different

Note: Internet Explorer will allow “https://geeksforgeeks:81/example” because IE doesn’t consider port number when applying same origin policy.

When Same Origin Policy enforces restrictions ?

The Same Origin Policy is applied by the browser, when two different origins are involved.

  • Contents from an iframe is not accessible by the page unless they are from the same origin.
  • XMLHttpRequests are not allowed.
  • Session Cookies from a particular site cannot be sent to a page with different origin.

Note: In case of cookies protocol and port are not checked. Only host is checked.

Same Origin Policy  doesn’t completely restricts interaction between two origins. The browsers check whether the interactions between the two origins poses a threat or not, if not, it allows the interactions.

Cross origin loading of page resource is generally allowed. You can embed an image with <image> tag, script with <script> tag or a video with <video> from a different site but any javascript code will not be able to read the content of these cross origin embedded elements.

Is Same Origin Policy enough ?

Same Origin Policy enforces some security but it is not enough to prevent all kinds of attacks. Some of them are:

  • Cross Site Request Forgery(CSRF) attack which basically takes advantage of different origins. This is why anti-CSRF tokens should be used in addition to Same Origin Policy.
  • Cross Site Scripting(XSS) attacks can also be prevented by Same Origin Policy but in order to prevent it will have to restricts loading of scripts from external sources, which may break the functionality of web applications.
My Personal Notes arrow_drop_up
Recommended Articles
Page :

Start Your Coding Journey Now!