同源政策适用于

Question

I am not able to understand why we need this rule. If it is such import, why we can get so many workaround to address it? Like JSONP, CORS etc.?

Is there any example can demostrate the damage without this rule?

Answer 1

If you look at the MDN article , you'll see this:

Cross-origin writes are typically allowed. Examples are links, redirects and form submissions. Certain rarely used HTTP requests require preflight.

Cross-origin embedding is typically allowed. Examples are listed below.

Cross-origin reads are typically not allowed, but read access is often leaked by embedding. For example you can read the width and height of an embedded image, the actions of an embedded script, or the availability of an embedded resource.

Here's a good post on security StackExchange :

Assume you are logged into Facebook and visit a malicious website in another browser tab. Without the same origin policy JavaScript on that website could do anything to your Facebook account that you are allowed to do. For example read private messages, post status updates, analyse the HTML DOM-tree after you entered your password before submitting the form.

Regarding your question about why there is CORS, JSONP, etc. (ie, ways to get around the same-origin policy): This allows domains to specify ways for other origins to access their APIs (read content, etc.) CORS, for example, allows servers to specify a whitelist of safe domains that are allowed to, say, read from the server.

Answer 2

Cross origin security prevents one web site from stealing information from another web site that is logged in as you.

For example, if I create a web-site and I frame the gmail site which you are regularly logged into and my web page is allowed to reach across to the gmail frame and read all your emails in the gmail web page, then I can easily steal lots of your info. Extend this to your banking site, your paypal site, etc... All, I would have to do to get access to this is to get you to come to my malicious site once when you happened to be logged into one of these other vulnerable sites. Cross origin security prevents this type of cross site access so a non-trusted web site can't arbitrarily steal information from another web page in the same browser.

The specific danger of accessing another site's web page "in the browser" is that the web page in the browser has access to all of your login cookies for that site so it often shows data that is not normally available to the general public via any public interface without also having legitimate login credentials. This is why the web page's displayed in browsers must be protected.

The "work-arounds" such as JSONP or CORS all require cooperation from the host site so they can only be used if the host site feels like the interface they are permitting to be used through those mechanisms is safe and appropriate. You cannot take a regular interface and, as a client, just use that via JSONP or CORS - it won't work. Both of those mechanisms require the server to specifically enable the cross origin access mechanism.