-
Same-origin Security PolicyWeb/Security 2019. 8. 30. 11:27
1. Overview
An origin defined as a combination of URI scheme, hostname, and port number should be the same between two pages interact data with scripts. This policy prevents a malicious script on one page from obtaining access to sensitive data on another web page through that page's Document Object Model(DOM).
2. Description
2.1 Examples
Compared URL Outcome Reason http://www.example.com/dir/page2.html Success Same protocol, host, and port http://www.example.com/dir2/other.html Success Same protocol, host, and port http://username:password@www.example.com/dir2/other.html Success Same protocol, host, and port http://www.example.com:81/dir/other.html Failure Same protocol and host but different port https://www.example.com/dir/other.html Failure Different protocol http://en.example.com/dir/other.html Failure Different host http://example.com/dir/other.html Failure Different host (exact match required) http://v2.www.example.com/dir/other.html Failure Different host (exact match required) http://www.example.com:80/dir/other.html Depends Port explicit. Depends on implementation in browser 2.2 Relaxing the same-origin policy
2.2.1 document.domain
- If two windows (or frames) contain scripts that set domain to the same value, each window can interact with the other which implicitly sets the port to null.
2.2.2 Cross-Origin Resource Sharing(CORS)
- This standard extends HTTP with a new Origin request header and a new Access-Control-Allow-Origin response header. it allows servers to use a header to explicitly list origins that may request a file or to use a wildcard and allow a file to be requested by any site.
2.2.3 cross-document messaging
- Allow a script from one page to pass textual messages to a script on another page regardless of the script origins. Calling the postMessage() method on a Window object asynchronously fires an "onmessage" event in that window, triggering any user-defined event handlers. A script in one page still cannot directly access methods or variables in the other page, but they can communicate safely through this message-passing technique.
2.2.4 JSONP
- Since HTML <script> elements are allowed to retrieve and execute content from other domains, a page can bypass the same-origin policy and receive JSON data from a different domain by loading a resource that returns a JSONP payload. JSONP payloads consist of an internal JSON payload wrapped by a pre-defined function call. When the script resource is loaded by the browser, the designated callback function will be invoked to process the wrapped JSON payload.
2.2.5 WebSockets
- Modern browsers will permit a script to connect to a WebSocket address without applying the same-origin policy. However, they recognize when a WebSocket URI is used, and insert an Origin: header into the request that indicates the origin of the script requesting the connection. To ensure cross-site security, the WebSocket server must compare the header data against a whitelist of origins permitted to receive a reply.
2.3 Cors Flowchart
2.4 Access-Control-Allow-Origin
The response header indicates whether the response can be shared with requesting code from the given origin.
3. References
https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
https://en.wikipedia.org/wiki/Cross-origin_resource_sharing
https://en.wikipedia.org/wiki/Document_Object_Model
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin
'Web > Security' 카테고리의 다른 글
Secure coding (0) 2019.09.06 Cross-site Scripting(XXS) (0) 2019.08.30 Open Authorization(OAuth) 2.0 (0) 2019.08.29 Difference between Signing and Encryption with OpenPGP (0) 2019.08.29 Encoding, Encryption, Hashing, and Obfuscation (0) 2019.08.28