Security Testing - Same Origin Policy


Same Origin Policy (SOP) is an important concept in the web application security model.

What is Same Origin Policy?

As per this policy, it permits scripts running on pages originating from the same site which can be a combination of the following −

  • Domain
  • Protocol
  • Port


The reason behind this behavior is security. If you have in one window and in another window, then you DO NOT want a script from to access or modify the contents of or run actions in context of gmail on your behalf.

Below are webpages from the same origin. As explained before, the same origin takes domain/protocol/port into consideration.


Below are webpages from a different origin.

  • domain)
  • (another domain)
  • (another protocol)
  • (another port)

Same Origin policy Exceptions for IE

Internet Explorer has two major exceptions to SOP.

  • The first one is related to 'Trusted Zones'. If both domains are in highly trusted zone then the Same Origin policy is not applicable completely.

  • The second exception in IE is related to port. IE does not include port into Same Origin policy, hence the and are considered from the same origin and no restrictions are applied.