HttpFixer โ†’ Glossary โ†’ Same-Origin Policy
Security

Same-Origin Policy

Last updated: April 2026

The Same-Origin Policy is a browser security rule that prevents JavaScript from reading responses from a different origin. It is the reason CORS errors exist โ€” CORS is the controlled way to relax this restriction.

What is an origin

# An origin = protocol + domain + port
https://yourapp.com       # origin: https://yourapp.com
https://yourapp.com:443   # same origin (443 is default for HTTPS)
http://yourapp.com        # different origin (http vs https)
https://api.yourapp.com   # different origin (subdomain)
https://yourapp.com:8080  # different origin (different port)

What SOP blocks

SOP blocks JavaScript from reading the response body, headers, and cookies from cross-origin requests. It does not block the request itself from being sent โ€” it blocks JavaScript from accessing the response.

What SOP allows

Simple GET requests can be sent cross-origin. Embedding images, scripts, and stylesheets from other origins is allowed. Forms can submit cross-origin. SOP only blocks JavaScript from reading cross-origin responses.

CORS relaxes SOP

# Server opts in by adding CORS headers
Access-Control-Allow-Origin: https://yourapp.com

# Browser then allows JavaScript to read the response
Related: CORSFixer โ€” test CORS live Blocked by CORS policy error What is CORS?
📚 HttpFixer Glossary โ€” all terms โ†’