CHAPTER 5
Browser Security Principles: The Same-Origin Policy
Defining the same-origin policy
Exceptions to the same-origin policy
Many of the security principles we’ve talked about and will talk about in this book deal with protecting your server resources. You want to be sure that unauthorized users can’t access the system; you want to be sure that attackers can’t break into your databases and steal your data; you want to be sure that no one can slow your system down so that it’s unavailable for everyone else. And it’s vital that you do defend against these kinds of attacks, but this chapter will focus on a completely different yet equally important area; specifically, we’ll be focusing on the principles of browser security.
Web browsers have controls built into them in order to prevent malicious web sites from stealing users’ personal data. Browsers restrict the ways that web pages can communicate with web servers and with other windows in the browser. However, they only slightly restrict these communications—they couldn’t block them completely, or the web would be a pretty boring place. Usually, these subtle limitations are enough to thwart would-be attackers. But if a web application has certain flaws in its code—sometimes very small flaws that are very easy to overlook—then all bets are off, and attackers can completely bypass the inherent protections that browsers offer their users. The next two chapters provide a detailed look at both the browser protections that we’re supposed to have, and the vulnerabilities and exploits that attackers use to negate them.
It makes sense to start our examination of browser security with a discussion of the same-origin policy, since the same-origin policy is essentially the foundation of most browser security principles. Without it, any site on the Internet could access the confidential user information of any other site. All of the attack techniques we’ll be talking about in the next chapter, like cross-site scripting and cross-site request forgery, are essentially ways for attackers to bypass the inherent defense of the same-origin policy. Unfortunately, the attackers are sometimes unwittingly aided in their attempts by the application developers themselves. But before we get into that, we need to define exactly what the same-origin policy is and how it works.