Browser Isolation
The same-origin policy is a now standard browser-side mechanism to protect simultaneously running web applications from one another. It restricts access to :
- DOM (i.e., representation of the document)
- APIs for web access (XMLHtpRequest)
- Cookies, HTML5 local storage APIs to pages from the same domain, i.e., protocol-host-port.
Browser sandboxing enhances this (e.g., in most modern browsers, separate tabs/frames run in separate processes).
Cross-Origin Resource Sharing
- Modern web applications use JavaScript APIs like
fetchandXMLHttpRequestto send and receive data asynchronously. - The Same-origin Policy restricts JavaScript from making requests to a different origin than the page itself, preventing unauthorised access to sensitive data.
- However, the Same-origin Policy is too restrictive for legitimate cases, such as APIs or third-party services.
- CORS (Cross-Origin Resource Sharing) was introduced as a standardised mechanism to relax the Same-origin Policy securely.
- CORS works by allowing servers to specify permitted origins using special HTTP headers, e.g.:
Access-Control-Allow-Origin: http://www.example.com
or
Access-Control-Allow-Origin: *