Same-Origin Policy Testing Tool

The term Same-Origin Policy (SOP) is used to denote a complex set of rules that govern the interaction of different Web Origins within a web application. The SOP is the main line of defense against numerous kinds of web attacks. Thus, a clear understanding of this access control policy is of prime importance. Unfortunately, there is no formal specification of the SOP, in contrast to other important concepts like Web Origins (RFC 6454) or the Document Object Model (DOM).

A subset of these SOP rules controls the interaction between the host document (HD) and an embedded document (ED), and this subset is the target of our research (SOP-DOM). We show that in addition to the Web Origins, the access rights granted by SOP-DOM depend on various attributes, where the embedding element (EE, e.g., <iframe>, <script>, and <img>) is the most important. We describe the SOP in terms of read, write, and execute rights as an Attribute-Based Access Control (ABAC) model.

We systematically tested the SOP implementation of ten modern browsers at our testbed at with more than 500 different ABAC test cases. Our tests show that standard SOP cases with elements like <img> or <link> are consistently implemented, but in more than 23% of the executed tests – mostly in edge cases like <canvas> or CORS – we detected different browser behaviors. The issues discovered in Internet Explorer and Edge are acknowledged by Microsoft (MSRC Case 32703).

Our formal description helped us to detect a novel CSS-based login oracle and a novel CSP bypass.

SOP Tool: Based on your currently used browser, this tool automatically evaluates SOP restriction tables that are based on our formal ABAC model. Please click on the buttons to open or hide each table. You can hover on the r/w/x cells to see the used JavaScript code.


EE: <img>

EE: <canvas>

ED: Scalable Vector Graphics (SVG)

EE: <img> and <canvas>

EE: <iframe> <object> and <embed>

ED: JavaScript

EE: <script>

ED: Cascading Style Sheets (CSS)

EE: <link>


EE: <iframe> and Sandboxed <iframe>

Jump to the top