One of the most important and critical points of web application security is the same origin policy .
This policy prevents a script or a document from getting or setting properties of another document that comes from a different origin.
Lets see an example:
The origin of http://www.example.com is different from https://www.example.com because the protocol used
The origin of http://www.example.com is different from http://admin.example.com because the host is different
Why SOP is important ?
Lets imagine our bank site without the use of the SOP.
An malicious attacker invites us to visit a site when we are already logged in our bank.
What can be happen here is the attacker could craft a malicious page and once we visit , he could have access in some personal information from are bank account.
More precisely, the browser always performs the request successfully but it returns the response to the user only if the SOP is respected.
Here are some examples:1) The document index.html on domain a.example.com (referred to as origin1:
http://a.example.com ) wants to access, via an Ajax request, the home.html page on domain b.example.com (referred
to as origin2: http://b.example.site ). This is not possible due the different SOP
2) We have two documents: the main document http//www.example.com/index.html and the iframe document http//www.example.com/iframe.html .
Exceptions: There are few exception to SOP restrictions like
cross window messaging
cross origin resource sharing (CORS)