Same-Origin Policy Testing Tool

The Same-Origin Policy (SOP) controls the interaction between the host document (HD) and an embedded document (ED), and is the main line of defense against numerous kinds of web attacks. Thus, a clear understanding of this access control policy is of prime importance. Unfortunately, there is no formal specification of the Same-Origin Policy, in contrast to other important concepts like web origins (RFC 6454) or the Document Object Model (W3C DOM). In the literature, the SOP is mostly described in terms of boolean (allow/deny) decisions based on web origins (protocol, domain, port), but these descriptions are inconsistent.

We show that the access rights granted by the SOP depend on the embedding element (EE, e.g., <iframe>, <script>, and <img>). We describe the SOP in terms of read, write, and execute rights as a role-based access control (RBAC) model, in which the role is defined by the EE.

We systematically tested the SOP implementation of ten modern browsers with our test bed at www.your-sop.com and we implemented more than 500 different RBAC test cases. Our tests show that standard SOP cases with elements like <img> or <link> are correctly implemented, but in more than 23% of the executed tests – mostly in edge cases, for example, using <canvas> or CORS – we detected a different behavior. This confirms the need for a formal specification.

SOP Tool: Based on your currently used browser, this tool automatically evaluates SOP restriction tables that are based on our formal RBAC model notation. Please click on the buttons to open or hide each table. You can hover on the r/w/x cells to see the used JavaScript code.



ED: JPG and PNG

EE: <img>

EE: <canvas>

ED: Scalable Vector Graphics (SVG)

EE: <img> and <canvas>

EE: <iframe> <object> and <embed>

ED: JavaScript

EE: <script>

ED: Cascading Style Sheets (CSS)

EE: <link>

ED: HTML

EE: <iframe> and Sandboxed <iframe>

Jump to the top