← Lessons

quiz vs the machine

Gold1380

Networking

The Same Origin Policy

Why a page from one site cannot freely read data from another.

4 min read · core · beat Gold to climb

What an origin is

An origin is the triple of scheme, host, and port. Two URLs share an origin only when all three match. The same origin policy is a browser rule that lets a page interact freely with its own origin but blocks it from reading responses from a different origin.

What it actually blocks

The policy stops scripts from reading cross origin responses. It does not stop the request from being sent. A malicious page can still submit a form to your bank, but it cannot read the reply, which is why cookies plus same origin still need extra forgery defenses.

Common confusions

  • Embedding an image or script from another origin is allowed because the page does not read the bytes as data.
  • The DOM of a cross origin iframe is hidden from the parent.
  • The policy is enforced by the browser, not the server, so non browser clients ignore it.

This boundary is the foundation that CORS later relaxes in a controlled way.

Key idea

The same origin policy lets a page read only responses sharing its scheme, host, and port, isolating sites inside the browser while still allowing requests to be sent.

Check yourself

Answer to earn rating on the learn ladder.

1. What defines an origin?

2. What does the same origin policy primarily prevent?