Same Site Same Origin

The original implementation of the internet protocols and browsers was very promising about functionality but also has been naive regarding information security and privacy.

One aspect in the later is based on the fact that multiple web sites can share content, images, tracking pixels and scripts that - by intention or not - offers insights into the behavior of the user.

In the last years there were some refinements and corrections implemented, one of them are based on the terms cross-site and cross-domain.

In brief: The displayed page and the included assets can control what is allowed regarding integration. The mechanisms in the browser gets hints and will allow / block according them.

• To protect your web application you can specify from what site additional content like images, scripts, iframes sources etc. can be included.
• To protect your assets you can specify how they can be included.

Understanding is fundamental to controlling.

Where the same sites or same origin applies

• The download attribute in hyperlinks is only supported on links to the same-origin.
• Cookies delivery can be controlled using the SameSite flag
• iFrame source
• iframe accessibility of content window and document
• accessibility to the parent window from an iframe
• using localStorage, sessionStorage, indexedDB, workers
• Cross-Origin-Opener-Policy, Cross-Origin-Embedder-Policy, crossOriginIsolated
• Cross-Origin Resource Sharing (CORS), Content-Security-Policy
• Loading JavaScript (CORS)
• Loading Fonts (CORS)
• fetch() initiated requests (CORS)
• inbound requests initiated by other applications (X-Frame-Options)
• and more...

More reading material

I don't like to repeat material available on the web so here are links to articles giving an intro I can recommend to understand the new features, the effects and options:

• https://www.w3.org/TR/CSP/
• https://web.dev/same-site-same-origin/ - Good intro article
• https://contentlab.io/what-web-developers-need-to-know-about-content-security-policy/
• https://content-security-policy.com/

More developer level information and references:

• https://www.w3.org/2011/webappsec/
• https://publicsuffix.org/list/ - What is a top level domain can be found in this long list.
• https://www.w3.org/TR/fetch-metadata/ - About the fetch before the fetch.
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Access-Control-Allow-Origin - control reuse of your assets
• https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
• https://developer.mozilla.org/en-US/docs/Web/HTTP/CORS
• https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy
• https://dev.to/didof/cors-preflight-request-and-option-method-30d3
• https://developers.google.com/web/updates/2020/10/http-cache-partitioning - Changes in the caching behavior.
• https://docs.google.com/document/d/1V8sFDCEYTXZmwKa_qWUfTVNAuBcPsu6FC0PhqMD6KKQ/edit - The Storage Isolation project
• https://owasp.org/www-community/attacks/csrf
• https://securityintelligence.com/an-introduction-to-http-response-headers-for-security/

Tags