Attacks take advantage of the fact that the same origin policy does not apply to HTML tags.
This means that resources such as images, CSS, and dynamically-loaded scripts can be accessed across origins via the corresponding HTML tags (with fonts being a notable exception ). It is very important to remember that the same-origin policy applies only to scripts. A strict separation between content provided by unrelated sites must be maintained on the client-side to prevent the loss of data confidentiality or integrity. This mechanism bears a particular significance for modern web applications that extensively depend on HTTP cookies to maintain authenticated user sessions, as servers act based on the HTTP cookie information to reveal sensitive information or take state-changing actions. This policy prevents a malicious script on one page from obtaining access to sensitive data on another web page through that page's Document Object Model. An origin is defined as a combination of URI scheme, host name, and port number. Under the policy, a web browser permits scripts contained in a first web page to access data in a second web page, but only if both web pages have the same origin. In computing, the same-origin policy (sometimes abbreviated as SOP) is an important concept in the web application security model.
0 kommentar(er)
