Back to glossary

Same-Origin Policy

A fundamental web security model that restricts how a document or script loaded from one origin can interact with a resource from another origin.

AbbreviationSOP
Categorysecurity

Overview

The Same-Origin Policy (SOP) is one of the most important security concepts in the modern web. It prevents a malicious website from running JS to steal data from another website (like your bank or email) that you have open in another tab.

What defines an 'Origin'?

An origin is defined by the combination of the Protocol (e.g., HTTPS), Host (e.g., example.com), and Port (e.g., 443). All three must match for two resources to be considered 'same-origin'.

Exceptions

SOP generally allows 'embedding' resources (like images or scripts via <script src=...> tags) but prevents 'reading' the content of those resources via JavaScript unless CORS is used.

Related Terms

Cross-Origin Resource Sharing