Application Security · Flashcard

What does the same-origin policy primarily restrict?

  • AScripts reading data from another origin — it blocks cross-origin access to responses and the DOM
  • BServers accepting requests from another origin — it rejects any inbound cross-site traffic
  • CBrowsers sending any request to another origin — it stops all cross-origin network calls
  • DUsers navigating links to another origin — it confines browsing to the initial site only

Why this is the answer

SOP restricts one origin's script from reading another origin's data (responses, DOM, cookies). It does not stop requests from being sent (that is why CSRF works), does not block navigation, and is enforced by the browser, not the server.

Official docs
Study in Gnoseed →