Updated April 2026
Same-Origin Policy
The Same-Origin Policy is a fundamental browser security rule: scripts running on origin A cannot read responses from origin B. Two URLs share an origin if they have the same protocol, domain, and port. CORS creates controlled, server-approved exceptions to this rule.
What makes two URLs the same origin
| URL A | URL B | Same origin? | Reason |
|---|---|---|---|
| https://example.com/page | https://example.com/api | Yes | Same protocol, domain, port |
| https://example.com | http://example.com | No | Different protocol |
| https://example.com | https://api.example.com | No | Different subdomain |
| https://example.com | https://example.com:3000 | No | Different port |
What it blocks
- Reading responses from
fetch()orXMLHttpRequestto a different origin - Accessing
window,document, or cookies of a cross-origin frame - Reading localStorage or sessionStorage across origins
What it does NOT block
The SOP blocks reading cross-origin responses, not all cross-origin requests. Browsers will send the request — they just won't give the response to your script. This distinction matters for CSRF attacks, which exploit the fact that requests are sent even when responses are blocked.
CORS — the controlled exception
CORS lets servers explicitly authorize cross-origin access. The server returns Access-Control-Allow-Origin with the allowed origin, and the browser then allows the response to reach your script.