Same Origin Policy (SOP)

Same Origin Policy (SOP), also called Single Origin Policy, is a security measure used in Web browser programming languages such as JavaScript and Ajax to protect the confidentiality and integrity of information. Same Origin Policy prevents a web site's scripts from accessing and interacting with scripts used on other sites.

HTTP cookies are dependent on the Same Origin Policy to ensure that sensitive information held about a certain user's activity pertains only to one site. Requiring scripts to be from the same site, or have the same origin, in order to interact with each other without restriction allows browsers to maintain user sessions securely without user re-authentication.

The Same Origin Policy is commonly circumvented by clientless SSL VPNs; the VPNs draw content from all over the Internet and present it to the client as though it came from the same origin, thereby allowing scripts from various sites to interact. This is dangerous because a malicious script from a compromised site could interact with a script from a legitimate site without restriction, potentially leading to malware infections or sensitive data being compromised.

This was last updated in February 2010

Dig Deeper on Application and platform security