The same-origin policy (SOP) is the browser's default security boundary: script from one origin may freely interact with same-origin resources but is restricted from *reading* resources from a different origin. It stops a malicious page from reading another site's authenticated session. ## What Counts as an Origin An origin is the triple **scheme + host + port** (RFC 6454). All three must match. | URL vs `https://app.example.com` | Same origin? | Why | |----------------------------------|--------------|-----| | `https://app.example.com/page` | ✅ | path is ignored | | `http://app.example.com` | ❌ | scheme differs | | `https://api.example.com` | ❌ | host differs | | `https://app.example.com:8443` | ❌ | port differs | ## What It Restricts - **Blocked**: reading cross-origin responses (`fetch`/`XHR`), reading another origin's DOM in an iframe, reading its cookies / `localStorage`. - **Allowed**: *sending* cross-origin form POSTs, embedding cross-origin images/scripts/stylesheets, navigating to another origin. The asymmetry — writes and embeds allowed, reads blocked — is the foundational point. ## Why It Matters - **CSRF** exploits the allowed write (a cross-origin POST is permitted). - **CORS** exists to selectively *grant* the blocked read. - SOP is **browser-enforced only** — curl, server-to-server calls, and non-browser clients ignore it entirely. --- *Source: RFC 6454 — The Web Origin Concept (IETF, Dec 2011, https://www.rfc-editor.org/rfc/rfc6454); MDN Web Docs — Same-origin policy (https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy).*