browser mechanism which enables controlled access to resources located outside of a given domain.
A pe kuch resources chaiye jo uske pass hai nahi, ab wo doosre B se maang raha hai, so A ko CORS policy set up karna hoga, to fetch that securely.
CORS is not a protection against CSRF.
restrictive cross-origin specification that limits the ability for a website to interact with resources outside of the source domain.
restricts scripts on one origin from accessing data from another origin. An origin consists of a URI scheme, domain and port number. For example, consider the following URL: http://normal-website.com/example/example.html
how the same-origin policy will be applied if if content at the above URL tries to access other origins:
| **URL accessed** | **Access permitted?** |
| --- | --- |
| `http://normal-website.com/example/` | Yes: same scheme, domain, and port |
| `http://normal-website.com/example2/` | Yes: same scheme, domain, and port |
| `https://normal-website.com/example/` | No: different scheme and port |
| `http://en.normal-website.com/example/` | No: different domain |
| `http://www.normal-website.com/example/` | No: different domain |
| `http://normal-website.com:8080/example/` | No: different port* |
when request is sent from one origin to other, everything is sent as part of the request. (cookies, authentication session cookies)
so if SOP is not there, and if you visited any malicious site, it would be able to read your mails, messages. etc
It controls the access that JS code has on the content that’s loaded cross-domain. Cross origin loading of page resources is permitted.
Eg: SOP allows embedding of images via the <img> tag, media via the <video> tag and JavaScript includes with the <script> tag.
These external resources can be loaded by the page but the JS on the page wont be able to read the content of the resources.
exceptions to SOP:
location or location.href property from iframes or new windowslength property of the window object and closed