Konubinix' opinionated web of thoughts

Same-Origin Policy

Fleeting

Same-origin policy - Sécurité Web | MDN

If the user were logged onto example.com with basic auth or some cookies, then visited attacker.com, the latter site could create an XMLHttpRequest to example.com with full authorisation for that user and read any private page that the user could (then forward it back to the attacker)

https://stackoverflow.com/questions/1830050/why-same-origin-policy-for-xmlhttprequest

an attacker could make requests out to other non-public machines on your intranet and read any files it can download from them which may not be meant for public consumption

https://stackoverflow.com/questions/1830050/why-same-origin-policy-for-xmlhttprequest

same-origin policy restreint la manière dont un document ou un script chargé depuis une origine peut interagir avec une autre ressource chargée depuis une autre origine

https://developer.mozilla.org/fr/docs/Web/Security/Same-origin_policy

même origine si le protocole, le port (si spécifié) et l’hôte sont les mêmes pour les deux pages.

https://developer.mozilla.org/fr/docs/Web/Security/Same-origin_policy

cookies utilisent une définition de l’origine différente de celle qui vient d’être définie

https://developer.mozilla.org/fr/docs/Web/Security/Same-origin_policy

origin is defined by the scheme, host, and port of a URL.

https://www.w3.org/Security/wiki/Same_Origin_Policy

overarching intent is to let users visit untrusted web sites without those web sites interfering with the user’s session with honest web sites

https://www.w3.org/Security/wiki/Same_Origin_Policy

prevents a malicious website on the Internet from running JS in a browser to read data from a third-party webmail service (which the user is signed into) or a company intranet (which is protected from direct access by the attacker by not having a public IP address) and relaying that data to the attacker.

https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy