Working in software development I am always surprised by how often developers don’t understand the security model of the platforms they work on. In this article I would like to share with you some of the basics of browser security. The topic has a lot of depth but I believe if one understands several fundamental principle they will be far better equipped to build a secure site.
Same origin policy
In order to prevent a malicious site from accessing data from another site browsers prevent data from prevent data from being loaded across origins. An origin is the combination of the schema, domain (or hostname) and port. If a browser is pointed at http://example.com it can not load data from any of the following urls.
|https://example.com||Schema is different|
|http://www.example.com||Domain is different|
|http://example.com:8080||Port is different|
|http://jmaxxz.com||Domain is different|
|ftp://example.com||Schema is different|
A cookie is a small piece of data which the browser automatically includes on requests. All cookies are specific to a domain, and all cookies will be sent to subdomains of the domain for which they are set. For example a cookie issues for example.com will be sent to www.example.com and x.example.com. A cookie issued for example.com will not be sent to jmaxxz.com or any other domain which is not a subdomain of example.com. Similarly a cookie issued for www.example.com will not be sent to x.example.com. Additionally a cookie issued for www.example.com will not be sent to example.com.
It is important to understand that once a cookie is set for a domain it will be included on all requests to that domain until the cookie expires or is removed.
Websockets do not enforce the same origin policy so it up to application developers to ensure 3rd party sites can not access sensitive data over websockets by checking the origin during socket initialization.
As previously mentioned websites can not access data from other domains, however it is important to remember any site can cause the user’s browser to make a request to any other site. Furthermore the cross origin policy does not apply to code, images, css, and fonts. Additionally in recent years a new standard has emerged which allows sites to opt out of the cross origin policy for its data.