Same-Origin Policy

Security

Overview

The Same-Origin Policy (SOP) is the browser's baseline security rule that prevents a script loaded from one origin from freely accessing resources from another origin.

Without it, JavaScript on a malicious site could read the responses from your bank's site, so SOP is a cornerstone of web security.

Details

SOP primarily blocks reading. Sending a `fetch` to a different origin is allowed, but reading the response body from JavaScript is blocked by default. DOM access and cookie/storage access are likewise isolated by origin boundary.

There are exceptions: embedding cross-origin resources via `<img>`, `<script>`, or `<link>` has always been permitted, and that looseness is exactly what CSRF exploits (the request is sent even though the response can't be read). Because SOP is often too strict — blocking legitimate cross-origin API calls — CORS is the standard that safely relaxes it. In other words, CORS opens SOP only within the bounds the server explicitly grants.

Related types