Understanding Web Security: Same-Origin Policy in Web Applications
In web development, the Same-Origin Policy plays a crucial role in ensuring the security of web applications by restricting how documents or scripts loaded from one origin can interact with resources from another origin. This policy helps prevent malicious attacks such as Cross-Origin Request Forgery (CSRF) and Cross-Site Scripting (XSS) by enforcing strict access control between different origins. Understanding the implications and implementation of the Same-Origin Policy is essential for building secure and reliable web applications.
Download Presentation
Please find below an Image/Link to download the presentation.
The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.
E N D
Presentation Transcript
Web Security Same-Origin Policy Connor Nelson Arizona State University
#Cross-Origin Web Applications Here is an image: <img src="http://red/"> And another image: <img src="http://blue/">
#Cross-Origin Web Applications Here is an image: <img src="http://red/"> And another image: <img src="http://blue/">
#Cross-Origin Web Applications Here is an image: <img src="http://red/"> And another image: <img src="http://blue/">
#Cross-Origin Web Applications Here is an image: <img src="http://red/"> And another image: <img src="http://blue/">
#Cross-Origin Web Applications Here is an image: <img src="http://red/"> And another image: <img src="http://blue/">
#HTTP URL Scheme <scheme>://<host>:<port>/<path>?<query>#<fragment>
#Origin <scheme>://<host>:<port>/<path>?<query>#<fragment> (<scheme>, <host>, <port>)
#Origin <scheme>://<host>:<port>/<path>?<query>#<fragment> (<scheme>, <host>, <port>) http://example.com/ example.com, 80) (http,
#Same-Origin <scheme>://<host>:<port>/<path>?<query>#<fragment> (<scheme>, <host>, <port>) http://example.com/ example.com, 80) (http, http://example.com/cat.gif (http, example.com, 80)
#Different-Origin <scheme>://<host>:<port>/<path>?<query>#<fragment> (<scheme>, <host>, <port>) http://example.com/ example.com, 80) (http, https://example.com/ example.com, 80) (https,
#Different-Origin <scheme>://<host>:<port>/<path>?<query>#<fragment> (<scheme>, <host>, <port>) http://example.com/ example.com, 80) (http, http://cats.example.com/ 80) (http, cats.example.com,
#Different-Origin <scheme>://<host>:<port>/<path>?<query>#<fragment> (<scheme>, <host>, <port>) http://example.com/ example.com, 80) (http, http://example.com:8080/ (http, example.com, 8080)
#Same-Origin Policy: Sending HTTP Requests Cross-Origin Simple Requests Allowed Methods: GET / HEAD / POST Headers: Accept Accept-Language Content-Language Content-Type application/x-www-form-urlencoded multipart/form-data text/plain Range (only simple values)
#Same-Origin Policy: Reading HTTP Responses Cross-Origin HTML-Embeds Allowed Images: <img> Media: <video> and <audio> External Resources: <object> and <embed> Inline Frames: <iframe> CSS: <link rel="stylesheet" href="..."> JavaScript: <script src="..."></script> Non HTML-Embeds Disallowed
#Domain Name Labels Delimited by Dots www.example.com www.google.com www.google.co.uk pwn.college dojo.pwn.college pwncollege.github.io
#Top-Level Domain Right-Most Label of Domain www.example.com www.google.com www.google.co.uk pwn.college dojo.pwn.college pwncollege.github.io
#Effective Top-Level Domain According to the Public Suffix List: https://publicsuffix.org/list/public_suffix_list.dat www.example.com www.google.com www.google.co.uk pwn.college dojo.pwn.college pwncollege.github.io
#Site Effective Top-Level Domain +1 www.example.com www.google.com www.google.co.uk pwn.college dojo.pwn.college pwncollege.github.io
#SameSite Cookie Attribute SameSite=None Cookie is sent in cross-site requests SameSite=Lax (default) Cookie is sent in cross-site top-level navigation GET requests SameSite=Strict Cookie is not sent in cross-site requests
#Domain Cookie Attribute Cookie is sent in requests to the specified domain, and any subdomains. In unspecified, the cookie is only sent in requests to the setting host, excluding subdomains.
#Path Cookie Attribute Cookie is sent in requests to the path, and any other subpath.
#Cross-Origin Resource Sharing (CORS) Preflight Request OPTIONS / HTTP/1.1 Headers: Origin Access-Control-Request-Method Access-Control-Request-Headers
#Cross-Origin Resource Sharing (CORS) Preflight Response HTTP/1.1 204 No Content Headers: Access-Control-Allow-Origin Access-Control-Allow-Methods Access-Control-Allow-Headers Access-Control-Allow-Credentials
#Cross-Origin Resource Sharing (CORS) Response HTTP/1.1 200 OK Headers: Access-Control-Allow-Origin Access-Control-Allow-Credentials Access-Control-Expose-Headers