From the course: ASP.NET: Security
Unlock the full course today
Join today to access over 22,600 courses taught by industry experts or purchase this course individually.
Same-origin policy and CORS
- [Instructor] Contrary to some rumors JavaScript does have a security concept and it's the Same-Origin Policy. The idea is that, and I simplify a little bit here, that has the same origin, or security context. What does that mean? Well, there are three pieces of information that have to be the same between the HTML page that contains the JavaScript code and the resource we are talking to. First of all, the protocol. So for instance, if we are on http//hplussport.com and try to do a Ajax call to https://hplussport.com, even if it's the same server, it's a different protocol so it's a different origin. That does not work. The second criteria is the domain name, the fully qualified domain name. So if we are on www.hplussport.com and like to call hplussport.com, even if it's exactly the same machine, from www.hplussport.com to hplussport.com the domain name doesn't match, so it's a different origin. That call doesn't work. So hplussport.com on port 444 is not the same as, well, no port…
Practice while you learn with exercise files
Download the files the instructor uses to teach the course. Follow along and learn by watching, listening and practicing.
Contents
-
-
-
(Locked)
OWASP Top 103m 36s
-
(Locked)
Cross-site scripting (XSS): The attack5m 10s
-
(Locked)
Cross-site scripting (XSS): The defense4m 18s
-
(Locked)
Cross-site scripting (XSS) in JavaScript5m 19s
-
(Locked)
Same-origin policy and CORS5m 12s
-
(Locked)
Enabling CORS in ASP.NET Web API6m 20s
-
(Locked)
SQL injection with ADO.NET3m 56s
-
(Locked)
SQL injection with Entity Framework3m 32s
-
(Locked)
Fixing SQL injection4m 27s
-
(Locked)
Cross-Site Request Forgery (CSRF)4m 40s
-
(Locked)
Defending against CSRF4m 24s
-
(Locked)
-
-
-
-