All geek questions in one place

Why does a policy of the same origin prevent GET responses from being read?

I did some research on the Internet and looked at a few questions about SOP and what abuse it mitigates, but most of the answers focus on preventing stolen credentials. That makes sense to me.

What doesn't make sense to me is why browsers, following SOP rules, block the response directly, and not block access to cookies and local storage.

In other words, if cookies and local storage do not exist, will there still be a need to prevent GET responses from being read? Presumably, this is already what happens to some extent with <img> , <script> and <iframe> .

+6
source share
1 answer

According to the Mozilla Developer Network :

The origin policy restricts how a document or script downloaded from one source can interact with a resource from another source. This is a critical security mechanism for isolating potentially malicious documents .

According to RFC 6454 :

Although user agents group URIs in the source data, not every resource in the source has the same authority (in the sense of security, the word "authority" and not in the sense of [RFC3986]). For example, the image is passive content and therefore does not bear any power, which means the image does not have access to objects and resources available for its origin. On the contrary, an HTML document bears its full origin and scripts inside (or imported) documents can access every resource in its origin .

To answer your question, even if cookies and local storage do not exist, it will still be dangerous to execute an unknown script in the context of the document. These scripts can issue XHR requests with the same IP address as authorized scripts and behave badly.

+3
source

Source: https://habr.com/ru/post/1013231/

More articles:


All Articles