Understanding Web Security: Same-Origin Policy in Web Applications

Slide Note
Embed
Share

In web development, the Same-Origin Policy plays a crucial role in ensuring the security of web applications by restricting how documents or scripts loaded from one origin can interact with resources from another origin. This policy helps prevent malicious attacks such as Cross-Origin Request Forgery (CSRF) and Cross-Site Scripting (XSS) by enforcing strict access control between different origins. Understanding the implications and implementation of the Same-Origin Policy is essential for building secure and reliable web applications.

lavellewo
lavellewo Follow

Uploaded on Oct 03, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. Web Security Same-Origin Policy Connor Nelson Arizona State University

  2. #Cross-Origin Web Applications Here is an image: <img src="http://red/"> And another image: <img src="http://blue/">

  3. #Cross-Origin Web Applications Here is an image: <img src="http://red/"> And another image: <img src="http://blue/">

  4. #Cross-Origin Web Applications Here is an image: <img src="http://red/"> And another image: <img src="http://blue/">

  5. #Cross-Origin Web Applications Here is an image: <img src="http://red/"> And another image: <img src="http://blue/">

  6. #Cross-Origin Web Applications Here is an image: <img src="http://red/"> And another image: <img src="http://blue/">

  7. #HTTP URL Scheme <scheme>://<host>:<port>/<path>?<query>#<fragment>

  8. #Origin <scheme>://<host>:<port>/<path>?<query>#<fragment> (<scheme>, <host>, <port>)

  9. #Origin <scheme>://<host>:<port>/<path>?<query>#<fragment> (<scheme>, <host>, <port>) http://example.com/ example.com, 80) (http,

  10. #Same-Origin <scheme>://<host>:<port>/<path>?<query>#<fragment> (<scheme>, <host>, <port>) http://example.com/ example.com, 80) (http, http://example.com/cat.gif (http, example.com, 80)

  11. #Different-Origin <scheme>://<host>:<port>/<path>?<query>#<fragment> (<scheme>, <host>, <port>) http://example.com/ example.com, 80) (http, https://example.com/ example.com, 80) (https,

  12. #Different-Origin <scheme>://<host>:<port>/<path>?<query>#<fragment> (<scheme>, <host>, <port>) http://example.com/ example.com, 80) (http, http://cats.example.com/ 80) (http, cats.example.com,

  13. #Different-Origin <scheme>://<host>:<port>/<path>?<query>#<fragment> (<scheme>, <host>, <port>) http://example.com/ example.com, 80) (http, http://example.com:8080/ (http, example.com, 8080)

  14. #Same-Origin Policy: Sending HTTP Requests Cross-Origin Simple Requests Allowed Methods: GET / HEAD / POST Headers: Accept Accept-Language Content-Language Content-Type application/x-www-form-urlencoded multipart/form-data text/plain Range (only simple values)

  15. #Same-Origin Policy: Reading HTTP Responses Cross-Origin HTML-Embeds Allowed Images: <img> Media: <video> and <audio> External Resources: <object> and <embed> Inline Frames: <iframe> CSS: <link rel="stylesheet" href="..."> JavaScript: <script src="..."></script> Non HTML-Embeds Disallowed

  16. #Domain Name Labels Delimited by Dots www.example.com www.google.com www.google.co.uk pwn.college dojo.pwn.college pwncollege.github.io

  17. #Top-Level Domain Right-Most Label of Domain www.example.com www.google.com www.google.co.uk pwn.college dojo.pwn.college pwncollege.github.io

  18. #Effective Top-Level Domain According to the Public Suffix List: https://publicsuffix.org/list/public_suffix_list.dat www.example.com www.google.com www.google.co.uk pwn.college dojo.pwn.college pwncollege.github.io

  19. #Site Effective Top-Level Domain +1 www.example.com www.google.com www.google.co.uk pwn.college dojo.pwn.college pwncollege.github.io

  20. #SameSite Cookie Attribute SameSite=None Cookie is sent in cross-site requests SameSite=Lax (default) Cookie is sent in cross-site top-level navigation GET requests SameSite=Strict Cookie is not sent in cross-site requests

  21. #Domain Cookie Attribute Cookie is sent in requests to the specified domain, and any subdomains. In unspecified, the cookie is only sent in requests to the setting host, excluding subdomains.

  22. #Path Cookie Attribute Cookie is sent in requests to the path, and any other subpath.

  23. #Cross-Origin Resource Sharing (CORS) Preflight Request OPTIONS / HTTP/1.1 Headers: Origin Access-Control-Request-Method Access-Control-Request-Headers

  24. #Cross-Origin Resource Sharing (CORS) Preflight Response HTTP/1.1 204 No Content Headers: Access-Control-Allow-Origin Access-Control-Allow-Methods Access-Control-Allow-Headers Access-Control-Allow-Credentials

  25. #Cross-Origin Resource Sharing (CORS) Response HTTP/1.1 200 OK Headers: Access-Control-Allow-Origin Access-Control-Allow-Credentials Access-Control-Expose-Headers

Related


Understanding Web Security: Cross-Origin Resource Sharing & Same-Origin Policy

Understanding Web Security: Cross-Origin Resource Sharing & Same-Origin Policy

dula_ikh
Understanding Session Management and Same-Origin Policy in Web Security

Understanding Session Management and Same-Origin Policy in Web Security

januelmi
Web Security Fundamentals: Understanding the Same Origin Policy

Web Security Fundamentals: Understanding the Same Origin Policy

fwol
Understanding Rules of Origin in Trade Agreements

Understanding Rules of Origin in Trade Agreements

esmar
Importance of Security in Web Development

Importance of Security in Web Development

kharmync
Understanding Country of Origin Determination by U.S. Customs

Understanding Country of Origin Determination by U.S. Customs

tyrell
Overview of Registered Exporter System (REX) for Origin Certification under Generalized System of Preferences (GSP) for EU

Overview of Registered Exporter System (REX) for Origin Certification under Generalized System of Preferences (GSP) for EU

bryony
Technical Soundness of EU-SADC EPA Rules of Origin

Technical Soundness of EU-SADC EPA Rules of Origin

vida
Origin and Evolution of Angiosperms: Insights into Their Phylogenetic Origins

Origin and Evolution of Angiosperms: Insights into Their Phylogenetic Origins

cadmus
Cybersecurity Challenges: Attacks on Web Applications and Cost of Security Breaches

Cybersecurity Challenges: Attacks on Web Applications and Cost of Security Breaches

hari
Understanding Cross-Domain Policies in Web Application Security

Understanding Cross-Domain Policies in Web Application Security

jayelyn
Understanding the Role of Security Champions in Organizations

Understanding the Role of Security Champions in Organizations

irvin
Understanding the Roles of a Security Partner

Understanding the Roles of a Security Partner

zaara
OWASP Bricks - Web Application Security Learning Platform

OWASP Bricks - Web Application Security Learning Platform

aleia
Exploring the Fundamentals of Web Engineering

Exploring the Fundamentals of Web Engineering

smcli
Morality in UK Drug Policy: Policy Constellations Analysis

Morality in UK Drug Policy: Policy Constellations Analysis

ege_nya
Understanding Security in World Politics

Understanding Security in World Politics

eisenberg_k
Understanding Rules of Origin and Tariff-Free Trading with the EU

Understanding Rules of Origin and Tariff-Free Trading with the EU

balfour
Understanding the Seal of Origin Program in Chile

Understanding the Seal of Origin Program in Chile

hzun
Understanding Rules of Origin in EU-UK Trade

Understanding Rules of Origin in EU-UK Trade

jart243
The Divine Origin of the Church: Unveiling Biblical Prophecies

The Divine Origin of the Church: Unveiling Biblical Prophecies

edilw
Understanding the Law of Torts: Origin, Theories, and Objectives

Understanding the Law of Torts: Origin, Theories, and Objectives

main_nd
Understanding Transport Layer Security (TLS)

Understanding Transport Layer Security (TLS)

amabel
The Origin of Viruses: Theories and Evidence

The Origin of Viruses: Theories and Evidence

capri

More Related Content

Theories on the Origin of State: Divine, Force, Patriarchal, and More
Theories on the Origin of State: Divine, Force, Patriarchal, and More
Ticagrelor Added to Aspirin in Acute Non-Severe Ischemic Stroke or TIA of Atherosclerotic Origin
Ticagrelor Added to Aspirin in Acute Non-Severe Ischemic Stroke or TIA of Atherosclerotic Origin
Understanding Web Hosting and Server Types
Understanding Web Hosting and Server Types
Understanding Web Security Fundamentals in Networking
Understanding Web Security Fundamentals in Networking
Comprehensive Course Review: Security Research Cornerstones at Carnegie Mellon University
Comprehensive Course Review: Security Research Cornerstones at Carnegie Mellon University
UIC Security Division Overview and International Activities
UIC Security Division Overview and International Activities
Automating Security Operations Using Phantom
Automating Security Operations Using Phantom
BCA 601(N): Computer Network Security
BCA 601(N): Computer Network Security
Understanding Web Browsers and Internet Explorer
Understanding Web Browsers and Internet Explorer
Understanding Silverlight for Web Hosting Companies
Understanding Silverlight for Web Hosting Companies
Franco-Japanese Cybersecurity Workshop Highlights and Future Plans
Franco-Japanese Cybersecurity Workshop Highlights and Future Plans
Understanding REST API Basics and Traditional Web Applications
Understanding REST API Basics and Traditional Web Applications
Understanding Theories of the Policy Cycle in Policy Analysis
Understanding Theories of the Policy Cycle in Policy Analysis
Exploring Secure Cooperative Sharing of Resources in Web Applications
Exploring Secure Cooperative Sharing of Resources in Web Applications
Enhancing Interdomain Routing Security with RPKI
Enhancing Interdomain Routing Security with RPKI
Challenges in Policy Implementation and Lessons Learned
Challenges in Policy Implementation and Lessons Learned
Industrial Policy: The Old and The New - Insights by Dani Rodrik
Industrial Policy: The Old and The New - Insights by Dani Rodrik
Understanding Internet Basics and Web Browsers
Understanding Internet Basics and Web Browsers
International Approaches to Enhance Nuclear Safety and Security
International Approaches to Enhance Nuclear Safety and Security
Understanding Security Onion: Network Security Monitoring Tools
Understanding Security Onion: Network Security Monitoring Tools
Understanding Cyber Security and Risks
Understanding Cyber Security and Risks
Understanding Provable Security Models in Cryptography
Understanding Provable Security Models in Cryptography
Understanding Computer Security Principles and Practices
Understanding Computer Security Principles and Practices
Understanding Security Threats and Countermeasures
Understanding Security Threats and Countermeasures