Origin

Web content’s origin is defined by the scheme (protocol), hostname (domain), and port of the URL used to access it.

Same-origin policy

The same-origin policy is a critical security mechanism that restricts how a document or script loaded by one origin can interact with a resource from another origin.

http://store.company.com/dir/page.html:

URL Outcome Reason
http://store.company.com/dir2/other.html Same origin Only the path differs
http://store.company.com/dir/inner/another.html Same origin Only the path differs
https://store.company.com/page.html Failure Different protocol
http://store.company.com:81/dir/page.html Failure Different port (http:// is port 80 by default)
http://news.company.com/dir/page.html Failure Different host

CSP (Content Secure Policy)

Content Security Policy is an added layer of security that helps to detect and mitigate certain types of attacks, including XXS and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution.

Browsers that don't support it still work with servers that implement it, and vice versa: browsers that don't support CSP ignore it, functioning as usual, defaulting to the standard same-origin policy for web content. If the site doesn't offer the CSP header, browsers likewise use the standard same-origin policy.

To enable CSP

  1. <meta> element can be used to configure a policy:
<meta
  http-equiv="Content-Security-Policy"
  content="default-src 'self'; img-src https://*; child-src 'none';" />
  1. Configure web servers to return the Content-Security-Policy HTTP header

Example

  1. all content to come from the site’s own origin
Content-Security-Policy: default-src 'self'
  1. content from trusted domain and all its subdomains