Same-Origin Policy Testing Tool

In the current HTML specification there are about 142 HTML elements, and at least 15 of them support URI parameters [1]. The embedded document (ED) loaded through such an URI attribute of the embedding element (EE) may thus have a web origin [2] different from the host document (HD). The Same Origin Policy (SOP) controls the interaction between HD and ED and is the main line of defense against numerous kinds of web attacks (e.g., XSS). Thus a clear understanding of this access control policy is of prime importance.

Unfortunately, there is no formal specification of the Same Origin Policy, in contrast to other important concepts like web origins [2] or the Document Object Model [3]. In the literature, the SOP is mostly described in terms of boolean (allow/deny) decisions based web origins (protocol, domain, port), but these descriptions are inconsistent, and browser behaviour that does not fit into this scheme has been described in several publications (e.g., [5]).

With our research, we propose to extend the web origin triple to a quadruple (protocol, domain, port, embedding element), and to describe SOP behaviours on this basis. This is justified by the fact that the access rights granted by the SOP strongly depend on the embedding element (EE): for example, there is a big difference in access rights granted to JavaScript code if this code is loaded from a different web origin with the EEs <script> or <iframe>. We provide a fine-granular framework to describe the rights that are managed by the SOP in terms of read, write, and execute access granted on or to the externally loaded content. We thus introduce a role-based access control (RBAC) model for the SOP in the HTML context, in which the role is defined by the EE.

SOP Tool: Based on your currently used browser, this tool automatically evaluates SOP restriction tables that are based on our formal RBAC model notation. Please click on the buttons to open or hide each table. You can hover on the r/w/x cells to see the used JavaScript code.



ED: JPG and PNG

EE: <img>

EE: <canvas>

ED: Scalable Vector Graphics (SVG)

EE: <img> and <canvas>

EE: <iframe> <object> and <embed>

ED: JavaScript

EE: <script>

ED: Cascading Style Sheets (CSS)

ED: HTML

EE: <iframe> and Sandboxed <iframe>

FROM EE TO sandbox attribute r w x
HD <iframe> ED (not set) no no no
HD <iframe> ED (empty value) no no no
HD <iframe> ED allow-scripts no no no
HD <iframe> ED allow-same-origin no no no
HD <iframe> ED allow-top-navigation no no no
HD <iframe> ED allow-scripts allow-same-origin no no no
HD <iframe> ED allow-scripts allow-top-navigation no no no
HD <iframe> ED allow-scripts allow-same-origin allow-top-navigation no no no
HD <iframe> ED (not set) no no no
HD <iframe> ED (empty value) no no no
HD <iframe> ED allow-scripts no no no
HD <iframe> ED allow-same-origin no no no
HD <iframe> ED allow-top-navigation no no no
HD <iframe> ED allow-scripts allow-same-origin no no no
HD <iframe> ED allow-scripts allow-top-navigation no no no
HD <iframe> ED allow-scripts allow-same-origin allow-top-navigation no no no
ED <iframe> HD (not set) no no no
ED <iframe> HD (empty value) no no no
ED <iframe> HD allow-scripts no no no
ED <iframe> HD allow-same-origin no no no
ED <iframe> HD allow-top-navigation no no no
ED <iframe> HD allow-scripts allow-same-origin no no no
ED <iframe> HD allow-scripts allow-top-navigation no no no
ED <iframe> HD allow-scripts allow-same-origin allow-top-navigation no no no
ED <iframe> HD (not set) no no no
ED <iframe> HD (empty value) no no no
ED <iframe> HD allow-scripts no no no
ED <iframe> HD allow-same-origin no no no
ED <iframe> HD allow-top-navigation no no no
ED <iframe> HD allow-scripts allow-same-origin no no no
ED <iframe> HD allow-scripts allow-top-navigation no no no
ED <iframe> HD allow-scripts allow-same-origin allow-top-navigation no no no

Jump to the top