In this video, learn what a same-origin policy does and the main categories of same-origin policies.
- [Instructor] When we write and deploy code that runs in web browsers, we're building applications that rely on the browser to run. Even though multiple applications can be executed in a browser simultaneously in different windows or tabs, we expect each app to operate independently of the others. This is the same thing we expect from applications we install and run on any computer, which should be unaffected by other applications on that same computer. Modern web browsers have multiple mechanisms in place to keep code in one window or tab isolated from code in other windows or tabs. The foundation of many of these mechanisms is a same-origin policy. A same-origin policy sets out to ensure that the code for one site is not affected by code from other sides. This policy affects a number of sensitive parts of the web API. Because each part is affected in its own unique way, it can be helpful to think of the policy instead as a collection of same-origin policies for different components, each with its own restrictions and rules. For instance, the same-origin policy for XHR serves to prevent access to web services from unauthorized domains. The same-origin policy for cookies protects information stored in a cookie from being read by any site but the one that originally set it. And the same-origin policy for DOM access ensures that access to a webpage's DOM is restricted only to other pages from the same website. Now, all of these policies have exceptions that developers can work with, otherwise the web as we know it would not exist. So understanding same-origin policies also involves learning how to work with them to achieve the outcomes your app or site needs without compromising security.
- Working with browser security features
- Configuring servers for testing
- Defining an origin
- Cross-site scripting attacks
- Cross-site request forgery attacks
- Working with a received message
- Specifying the allowed message sender origin
- Sharing cookies across subdomains
- Restricting the path of a cookie