Glossary

Same-origin policy

SOP · /seɪm ˈɒrɪdʒɪn ˈpɒlɪsi/

The same-origin policy is the browser's default security rule: JavaScript running on one origin cannot read responses, DOM, or storage belonging to another origin. CORS is the standard way for a server to explicitly opt out of this restriction for specific origins.

Why it exists

Without it, any website you opened could quietly issue requests to your bank, your email, or your company's intranet — using your browser's existing session cookies — and read the responses. The web simply wouldn't be safe to browse with multiple tabs open.

The same-origin policy is the reason logging into Gmail in one tab doesn't let a malicious page in another tab read your inbox. The malicious page can still send requests (your browser will include the cookies), but it can't read the response.

What it actually restricts

What it allows anyway

Several things were allowed before the same-origin policy existed and stayed allowed for backwards compatibility:

Same origin vs same site

A subtler distinction the browser also tracks: "same site" is laxer. app.example.com and api.example.com are different origins (different host) but the same site (same registrable domain). Newer cookie attributes like SameSite=Strict use the site boundary; CORS and the same-origin policy use the origin boundary.

See also

CORS Origin Credentialed request Preflight