All geek questions in one place

Same origin policy under Layman

Can someone help me better understand the same origin policy. I have seen several websites describing this, but I am looking for an explanation much easier, how would you describe it for a child?

This link seems to be the best work I've found. Can anyone expand? Can someone explain why this policy exists?

+6
source share
2 answers

A policy of the same origin is necessary to prevent CSRF . Imagine this scenario:

  • Bank manager Joe Fatkat has an account in his bank administration backend. This account allows him to receive confidential account information for everyone who is a bank at TBtF Bank. He can even reset someone to indicate a number, transfer funds, change the owner of the account, etc.
  • Now, TBtF Bank is putting off Jack the IT Guy. Now he's Jack Declassified Ex-IT-Guy, and he wants revenge on his former employer. Jack does not have access to the bank administration backend, but he knows what Joe is doing.
  • So Jack sends his boss an email with a link to the page that Jack created. The page has JavaScript:


var xhr = new XMLHttpRequest(), data = "from="+victimAccount + "&to="+jacksAccount + "&amt=a+gazillion+dollars"; xhr.open("POST", "http://tbtfbank.tld/accounts/wiretransfer.aspx", true); xhr.send(data);
  1. The next day, Joe arrives at his office and logs into his administrative account, as always, and leaves the tab open in the background.
  2. Joe sees an email containing links to pictures of Natalie Portman covered in hot mushrooms. Therefore, of course, he clicks on it, opening a malicious web page.
  3. The browser launches JavaScript on the page and sends an AJAX POST request to the TBtF Bank server site. Since Joe is already registered on the site and has an active session, the banking application accepts the command and pays a million dollars into the account of Jack's offshore bank.

And Jack could just as easily use the same technique to collect thousands of account numbers and pins or any other information that the bank manager has access to through his account.

Fortunately, a policy of the same origin protects us from these types of attacks most of the time, because Jack’s malicious page is hosted in a different domain from a banking application, so it does not allow XHR to be done in a banking application. Although the malicious page may still contain an image that makes a GET request for a banking application, it is important that side effects are not triggered by GET requests and that applications check the referrer header of the requests they receive and take advantage of antivirus applications, Toners CSRF

+22
source

This basically means that only scripts that are served from the same domain can unlimitedly restrict access to each other's objects and properties (therefore, if you have a .js file with the specified functions, you can call it from any other file located to the same domain).

So, if you are using a script from another domain restriction, applicable.

This policy exists because it is too easy to insert a link to a javascript file (for example, some javascript code that enters a link to such a file), which is located in another domain. This is a security risk - you really only need the code that comes from the site you are going to execute on, and not just any code that is there.

+4
source

Source: https://habr.com/ru/post/920435/

More articles:


All Articles