Don’t let overlooked obligations become incidents. Learn how.
Utility navigation bar redirect icon
Portal LoginSupportBlogContact
Search
Close search
Huntress Logo in Teal
  • Platform Overview
    Managed EDR

    Get full endpoint visibility, detection, and response.

    Managed EDR

    Get full endpoint visibility, detection, and response.

    Managed ITDR: Identity Threat Detection and Response

    Protect your Microsoft 365 and Google Workspace identities and email environments.

    Managed ITDR: Identity Threat Detection and Response

    Protect your Microsoft 365 and Google Workspace identities and email environments.

    Managed SIEM

    Managed threat response and robust compliance support at a predictable price.

    Managed SIEM

    Managed threat response and robust compliance support at a predictable price.

    Managed Security Awareness Training Software

    Empower your teams with science-backed security awareness training.

    Managed Security Awareness Training Software

    Empower your teams with science-backed security awareness training.

    Managed ISPM

    Continuous Microsoft 365 and identity hardening, managed and enforced by Huntress experts.

    Managed ISPM

    Continuous Microsoft 365 and identity hardening, managed and enforced by Huntress experts.

    Managed ESPM

    Proactively secure endpoints against attacks.

    Managed ESPM

    Proactively secure endpoints against attacks.

    Integrations
    Integrations
    Support Documentation
    Support Documentation
    See Huntress in Action

    Quickly deploy and manage real-time protection for endpoints, email, and employees - all from a single dashboard.

    Huntress Cybersecurity
    See Huntress in Action

    Quickly deploy and manage real-time protection for endpoints, email, and employees - all from a single dashboard.

    Huntress Cybersecurity
  • Threats We Stop
    Phishing
    Phishing
    Business Email Compromise
    Business Email Compromise
    Ransomware
    Ransomware
    Infostealers
    Infostealers
    View Allright arrowView Allright arrow
    Industries We Serve
    Education
    Education
    Financial Services
    Financial Services
    State and Local Government
    State and Local Government
    Healthcare
    Healthcare
    Law Firms
    Law Firms
    Manufacturing
    Manufacturing
    Utilities
    Utilities
    View Allright arrowView Allright arrow
    Tailored Solutions
    MSPs
    MSPs
    Resellers
    Resellers
    SMBs
    SMBs
    Compliance
    Compliance
    What Gets Overlooked Gets Exploited

    Most days, nothing happens. But one day, something will.

    Huntress Cybersecurity
    Cybercriminals Have Evolved

    Get the intel on today’s cybercriminal groups and learn how to protect yourself.

    Huntress Cybersecurity
  • Pricing
  • Community Series
    The Product Lab

    Shape the next big thing in cybersecurity together.

    The Product Lab

    Shape the next big thing in cybersecurity together.

    Fireside Chat

    Real people. Real perspectives. Better conversations.

    Fireside Chat

    Real people. Real perspectives. Better conversations.

    Tradecraft Tuesday

    No products, no pitches – just tradecraft.

    Tradecraft Tuesday

    No products, no pitches – just tradecraft.

    _declassified

    Exposing hidden truths in the world of cybersecurity.

    _declassified

    Exposing hidden truths in the world of cybersecurity.

    Resources
    Upcoming Events
    Upcoming Events
    Ebooks
    Ebooks
    On-Demand Webinars
    On-Demand Webinars
    Videos
    Videos
    Whitepapers
    Whitepapers
    Datasheets
    Datasheets
    Cybersecurity Education
    Cybersecurity 101
    Cybersecurity 101
    Cybersecurity Guides
    Cybersecurity Guides
    Threat Library
    Threat Library
    Real Tradecraft, Real Results
    Real Tradecraft, Real Results
    2026 Cyber Threat Report
    2026 Cyber Threat Report
    The Huntress Blog
    When Cybersecurity and Cyber Insurance Don’t Quite Connect—And What We’re Doing Differently with Acrisure
    Huntress Cybersecurity
    When Cybersecurity and Cyber Insurance Don’t Quite Connect—And What We’re Doing Differently with Acrisure
    Huntress Cybersecurity
    How EvilTokens Turbocharges Old School Phishing with AI
    Huntress Cybersecurity
    How EvilTokens Turbocharges Old School Phishing with AI
    Huntress Cybersecurity
    “Service Agreement” Email Kickstarts Rogue RMM Tiflux Triple Threat
    Huntress Cybersecurity
    “Service Agreement” Email Kickstarts Rogue RMM Tiflux Triple Threat
    Huntress Cybersecurity
  • Why Huntress

    Go beyond AI in the fight against today’s hackers with Huntress Managed EDR purpose-built for your needs

    Huntress Cybersecurity
    Why Huntress

    Go beyond AI in the fight against today’s hackers with Huntress Managed EDR purpose-built for your needs

    Huntress Cybersecurity
    The Huntress SOC

    24/7 Security Operations Center

    The Huntress SOC

    24/7 Security Operations Center

    Reviews

    Why businesses of all sizes trust Huntress to defend their assets

    Reviews

    Why businesses of all sizes trust Huntress to defend their assets

    Case Studies

    Learn directly from our partners how Huntress has helped them

    Case Studies

    Learn directly from our partners how Huntress has helped them

    Community

    Get in touch with the Huntress Community team

    Community

    Get in touch with the Huntress Community team

    Compare Huntress
    Bitdefender
    Bitdefender
    Blackpoint
    Blackpoint
    Breach Secure Now!
    Breach Secure Now!
    Crowdstrike
    Crowdstrike
    Datto
    Datto
    SentinelOne
    SentinelOne
    Sophos
    Sophos
    Compare Allright arrowCompare Allright arrow
  • HUNTRESS HUB

    Login to access top-notch marketing resources, tools, and training.

    Huntress Cybersecurity
    HUNTRESS HUB

    Login to access top-notch marketing resources, tools, and training.

    Huntress Cybersecurity
    Partners
    MSPs

    Join our partner community to deliver expert-led managed security.

    MSPs

    Join our partner community to deliver expert-led managed security.

    Resellers

    Partner program designed to grow your cybersecurity business.

    Resellers

    Partner program designed to grow your cybersecurity business.

    Tech Alliances

    Driving innovation through global technology Partnerships

    Tech Alliances

    Driving innovation through global technology Partnerships

    Microsoft Partnership

    A Level-Up for Your Business Security

    Microsoft Partnership

    A Level-Up for Your Business Security

  • Press Release
    Huntress Announces Collaboration with Microsoft to Strengthen Cybersecurity for Businesses of All Sizes
    Huntress Cybersecurity
    Press Release
    Huntress Announces Collaboration with Microsoft to Strengthen Cybersecurity for Businesses of All Sizes
    Huntress Cybersecurity
    Our Story

    We're on a mission to shatter the barriers to enterprise-level security.

    Our Story

    We're on a mission to shatter the barriers to enterprise-level security.

    Newsroom

    Explore press releases, news articles, media interviews and more.

    Newsroom

    Explore press releases, news articles, media interviews and more.

    Meet the Team

    Founded by former NSA Cyber Operators. Backed by security researchers.

    Meet the Team

    Founded by former NSA Cyber Operators. Backed by security researchers.

    Careers

    Ready to shake up the cybersecurity world? Join the hunt.

    Careers

    Ready to shake up the cybersecurity world? Join the hunt.

    Awards
    Awards
    Contact Us
    Contact Us
  • Portal Login
  • Support
  • Blog
  • Contact
  • Search
  • Get a Demo
  • Start for Free
Portal LoginSupportBlogContact
Search
Close search
Get a Demo
Start for Free
HomeCybersecurity 101
Same Origin Policy

What Is Same Origin Policy

Written by: Lizzie Danielson

Published: 9/26/2025

woman at laptop
ChatGPT logoChatGPTOpens in new tabClaude logoClaudeOpens in new tabPerplexity logoPerplexityOpens in new tabGoogle Gemini logoGoogle AIOpens in new tab
AI sparkle iconSummarize This Page
ChatGPT logoChatGPTOpens in new tabClaude logoClaudeOpens in new tabPerplexity logoPerplexityOpens in new tabGoogle Gemini logoGoogle AIOpens in new tab
On This Page
What is Same Origin Policy
Why same origin policy matters for web security
How does same origin policy work
Common attacks prevented by same origin policy
Same origin policy example
How to Bypass Same Origin Policy and Why Doing It Is Risky
SOP vs cross-origin resource sharing
Practical tips for developers
Web Security Starts with Awareness

Ever wondered how your browser keeps you safe while surfing the web? Cue the same origin policy (SOP), one of the web's unsung heroes. This browser security model restricts interactions between different sites, shielding you from potential data breaches and bad actors. Think of it as your web guardian, ensuring that scripts from Site A can't mess with data from Site B.

This post dives deep into what the same origin policy is, how it works, its benefits, and the risks tied to bypassing it. We’ll also explore SOP’s relationship to CORS (Cross-Origin Resource Sharing), backed by real-world examples. Whether you're a developer looking to fortify your app or a budding cybersecurity enthusiast, this guide is your perfect starting point.

What is Same Origin Policy

The same-origin policy is a browser security feature that prevents scripts on one origin from accessing data on another origin.

First, we need to define “origin.” An origin is a unique combination of protocol (http or https), domain, and port number. If these three match, the two sites share the same origin. For example:

  • http://example.com/page1.html and http://example.com/page2.html are same-origin.

  • https://example.com and http://example.com are NOT same-origin because the protocol differs.

  • http://blog.example.com and http://example.com are NOT same-origin because the domains differ.

Without SOP, malicious sites could interact with sensitive sites (think online banking or email platforms), leading to disastrous outcomes.

Why same origin policy matters for web security

SOP is a shield against two of the most dangerous web attacks:

  • Cross-Site Scripting (XSS)

XSS occurs when attackers inject malicious scripts into a trusted webpage. SOP minimizes the extent of data theft by isolating these scripts. For instance, even if a rogue script runs on an online blog, it can’t access your email account cookies.

  • Cross-Site Request Forgery (CSRF)

CSRF tricks users into executing unintended actions, like transferring money, on authorized sites without their consent. SOP helps block unauthorized scripts from making these requests on your behalf.

Simply put, SOP creates a wall around each site’s data, preventing chaos.

How does same origin policy work

When your browser loads scripts from one origin, it applies SOP to restrict specific actions. Here’s how it works in practice:

  • Allowed: Embedding static resources like images, stylesheets, and JavaScript files from other origins.

  • Blocked: Dynamic interactions like reading cookies, accessing DOM structures, or running scripts from a different origin.

SOP in Action

Imagine you’re logged into your online banking account https://bank.com. Now, you unknowingly visit http://badsite.com. Without SOP:

  • badsite.com could send API requests to your bank account.

  • Worse, it could read sensitive data like account balances or credentials.

With SOP enforced, the offending scripts are blocked, keeping your data safe.

A Common Exception - CORS

Sometimes, sharing resources cross-origin is necessary. For instance, a web app hosted on api.example.com might need to interact with frontend.example.com. Enter Cross-Origin Resource Sharing (CORS). By setting specific headers, websites can whitelist trusted origins to bypass SOP restrictions.

Example of a CORS Header

To allow https://frontend.example.com to access resources from https://api.example.com, the server would include the following header in its response:

```

Access-Control-Allow-Origin: https://frontend.example.com

```

Common attacks prevented by same origin policy

  • Session Hijacking

Attackers can trick users into visiting malicious links to steal session cookies. Thanks to SOP, one site can’t “peek” into the session data of another origin.

  • Data Theft via Embedded Frames

Embedding iframes from sensitive sites was once a common method for attackers to extract data. With SOP, any attempt to access iframe details from a different origin is blocked outright.

  • Clickjacking

SOP works in tandem with headers like X-Frame-Options to prevent clickjacking attacks, where users unknowingly click hidden elements embedded by attackers.

Same origin policy example

Allowed Scenario

A blog on http://example.com embeds an image from http://cdn.example.com. The browser allows this because it’s a passive request requiring no dynamic interaction.

Blocked Scenario

The same blog tries to read user cookies from http://bank.com. SOP blocks this outright, as the origins are different.

How to Bypass Same Origin Policy and Why Doing It Is Risky

Methods to bypass SOP

  • CORS Headers: Explicitly grant access by including Access-Control-Allow-Origin in server responses. Used to enable trusted cross-origin communication.

  • JSONP: This technique wraps cross-origin requests using JavaScript callbacks. It’s an older method and largely replaced by CORS.

  • document.domain Setter: Allows scripts from subdomains of the same root domain to communicate (e.g., login.example.com to example.com). However, this is deprecated and should be avoided.

Why bypassing SOP can be dangerous

While bypassing SOP may seem harmless for legitimate use cases, misconfigurations can make your systems vulnerable:

  • Overly permissive CORS policies (e.g., Access-Control-Allow-Origin: *) expose sensitive resources to all origins.

  • Attackers can leverage insecure bypasses like JSONP for XSS attacks or sensitive data interception.

  • Improper use of iframe embedding or window messaging APIs (postMessage) risks leaking confidential information.

If bypassing SOP is essential, ensure strict access control policies are in place to minimize risks.

SOP vs cross-origin resource sharing

While SOP focuses on restricting cross-origin actions for security, CORS provides a framework for safely enabling approved access. Think of SOP as a locked door and CORS as a customized key.

Key differences

Feature

Same Origin Policy

CORS

Purpose

Restricts cross-origin interactions

Enables safe cross-origin data sharing

Flexibility

Highly restrictive

Configurable via headers

Use Case Example

Blocking unauthorized scripts

Allowing a trusted front-end to fetch APIs

Practical tips for developers

  • Set Secure CORS Policies: Avoid setting Access-Control-Allow-Origin to *. Restrict access to trusted origins only.

  • Use HTTPS Everywhere: Accessing resources over HTTP is a security risk. Always use HTTPS for sensitive applications.

  • Sanitize Inputs: Validating data on both client and server sides reduces risks like XSS.

  • Monitor Headers: Implement headers like X-Frame-Options and Content-Security-Policy to guard against iframe abuse and unauthorized script injections.

Web Security Starts with Awareness

The Same-Origin Policy might not be the flashiest part of web security, but it’s undeniably one of the most important. By quietly blocking harmful cross-origin interactions, SOP keeps the internet a safer place for everyone.

Developers and security teams should treat SOP as a foundation, not a standalone solution. Combine its safeguards with modern defenses like CORS configurations, CSRF tokens, secure headers, and proactive threat monitoring to create a rock-solid security approach.

Now you know what SOP is and why it matters. The next step? Use this knowledge to build safer, smarter applications. The future of web security starts with you.

ChatGPT logoChatGPTOpens in new tabClaude logoClaudeOpens in new tabPerplexity logoPerplexityOpens in new tabGoogle Gemini logoGoogle AIOpens in new tab
AI sparkle iconSummarize This Page
ChatGPT logoChatGPTOpens in new tabClaude logoClaudeOpens in new tabPerplexity logoPerplexityOpens in new tabGoogle Gemini logoGoogle AIOpens in new tab
On This Page
What is Same Origin Policy
Why same origin policy matters for web security
How does same origin policy work
Common attacks prevented by same origin policy
Same origin policy example
How to Bypass Same Origin Policy and Why Doing It Is Risky
SOP vs cross-origin resource sharing
Practical tips for developers
Web Security Starts with Awareness

FAQs

The same-origin policy (SOP) is a web browser security feature that restricts how documents and scripts from one website (origin) can interact with resources on another. In simple terms, it prevents a malicious site from accessing data on another site through the browser, protecting users from threats like cross-site scripting (XSS) or data leaks. (It’s like a privacy fence between websites.)

SOP helps enforce web privacy and application isolation. Without it, any website could make unauthorized requests or read sensitive information from other websites you’re logged into, such as banking portals or email accounts. It’s a core defense against cross-origin attacks like CSRF and credential theft.

In the context of SOP, “origin” refers to a unique combination of protocol (HTTP/HTTPS), domain, and port. For two web pages to be considered of the same origin, all three elements must match exactly. For example, https://example.com and http://example.com are different origins due to the protocol.

Same-origin policy can be bypassed or relaxed under certain conditions, such as:

  • Using CORS (Cross-Origin Resource Sharing) headers from the server

  • PostMessage API for safe cross-origin communication

  • (Historically) using document.domain, although it’s now deprecated due to security risks Improper use of these methods can lead to vulnerabilities or unauthorized access.

The same-origin policy is a default browser-enforced restriction, while CORS is a way for servers to explicitly allow certain cross-origin requests using headers like Access-Control-Allow-Origin. SOP blocks by default; CORS provides controlled exceptions when configured securely.

To prevent cross-origin attacks:

  • Use strict and validated CORS policies

  • Avoid Access-Control-Allow-Origin: * unless absolutely necessary

  • Implement CSRF tokens

  • Sanitize and validate all inputs to prevent XSS Use security headers like Content-Security-Policy, X-Frame-Options, and SameSite cookies

    • These practices complement the same-origin policy to create layered browser security.

Glitch effectBlurry glitch effect
Glitch effect

Additional Resources

  • Read more about What Is Clickjacking? UI Redress Attacks Explained
    What Is Clickjacking? UI Redress Attacks Explained
    What Is Clickjacking? UI Redress Attacks Explained
    Learn what clickjacking is, how it works, real-world examples, and preventive measures to protect your organization from malicious click-based attacks.
  • Read more about What Is Website Logging? How Web Logs Secure Data
    What Is Website Logging? How Web Logs Secure Data
    What Is Website Logging? How Web Logs Secure Data
    Learn how website logging tracks user activity, detects threats, and strengthens cybersecurity. Discover best practices and tools for effective log monitoring.
  • Read more about What is Dangling Markup?
    What is Dangling Markup?
    What is Dangling Markup?
    Dangling Markup exploits unclosed HTML tags, making web applications vulnerable. Understand its risks, examples, and how to build defenses against it.
  • Read more about What Is Cross-Site Scripting?
    What Is Cross-Site Scripting?
    What Is Cross-Site Scripting?
    Learn what Cross-Site Scripting (XSS) is, how it works, and how to prevent it. A must-read guide for securing web applications and protecting user data.
  • Read more about What Is a Race Condition? Types, Causes & Security Impact
    What Is a Race Condition? Types, Causes & Security Impact
    What Is a Race Condition? Types, Causes & Security Impact
    Learn everything cybersecurity professionals need to know about race conditions. Discover their definition, types, causes, real-world examples, and how to detect and prevent them.
  • Read more about What is SASE Secure Access Service Edge Explained
    What is SASE Secure Access Service Edge Explained
    What is SASE Secure Access Service Edge Explained
    Learn what SASE means, how it strengthens network security, key benefits, and how it compares to traditional models
  • Read more about What is an Ingress Controller? Kubernetes Security Guide
    What is an Ingress Controller? Kubernetes Security Guide
    What is an Ingress Controller? Kubernetes Security Guide
    Learn how ingress controllers protect Kubernetes clusters by managing external traffic, providing SSL termination, and centralizing security controls.
  • Read more about What is a User Agent?
    What is a User Agent?
    What is a User Agent?
    Discover what a user agent is and how it facilitates web interactions. Learn about User-Agent strings and their role in web optimization.
  • Read more about What is Dark Web Monitoring? | Dark Web Monitoring | Huntrses
    What is Dark Web Monitoring? | Dark Web Monitoring | Huntrses
    What is Dark Web Monitoring? | Dark Web Monitoring | Huntrses
    Learn what the dark web is and why businesses need dark web monitoring to make sure their data and employee credentials aren’t being sold to the highest bidder.
Glitch effectGlitch effect

Protect What Matters

Secure endpoints, email, and employees with the power of our 24/7 SOC. Try Huntress for free and deploy in minutes to start fighting threats.
Try Huntress for Free
Huntress Managed Security PlatformManaged EDRManaged EDR for macOSManaged EDR for LinuxManaged ITDRManaged SIEMManaged Security Awareness TrainingManaged ISPMManaged ESPMBook a Demo
PhishingComplianceBusiness Email CompromiseEducationFinanceHealthcareManufacturingState & Local Government
Managed Service ProvidersResellersIT & Security Teams24/7 SOCCase Studies
BlogResource CenterCybersecurity 101Upcoming EventsSupport Documentation
Our CompanyLeadershipNews & PressCareersContact Us
Huntress white logo

Protecting 250k+ customers like you with enterprise-grade protection.

Privacy PolicyCookie PolicyTerms of UseCookie Consent
Linkedin iconTwitter X iconYouTube iconInstagram icon
© 2025 Huntress All Rights Reserved.

Join the Hunt

Get insider access to Huntress tradecraft, killer events, and the freshest blog updates.

By submitting this form, you accept our Terms of Service & Privacy Policy