Same-Origin Policy Testing Tool

The term Same-Origin Policy (SOP) is used to denote a complex set of rules that govern the interaction of different Web Origins within a web application. A subset of these SOP rules controls the interaction between the host document (HD) and an embedded document (ED), and this subset is the target of our research (SOP-DOM). In contrast to other important concepts like Web Origins (RFC 6454) or the Document Object Model (DOM), there is no formal specification of SOP-DOM. Relying on inconsistent descriptions leading to SOP bypasses, a clear definition of the SOP is indispensable.

We show that in addition to Web Origins, the access rights granted by SOP-DOM depend on various attributes. The most important attribute is the embedding element (EE). We set a new context for the scientific discussion of SOP-DOM by describing it in terms of read, write, and execute rights in an Attribute-Based Access Control (ABAC) model. Our ABAC model is general enough to cover previously known facts about SOP-DOM from the scientific literature and the web security community, but in addition helps us to detect new vulnerabilities (IE/Edge CSS vulnerability, CSP bypass).

With our testbed at, we systematically verified our model against the SOP implementations of ten modern browsers by looking on 500 different ABAC test cases. In more than 23% of the executed tests, we detected different browser behaviors.

SOP Tool: Based on your currently used browser, this tool automatically evaluates SOP restriction tables that are based on our formal ABAC model. Please click on the buttons to open or hide each table. You can hover on the r/w/x cells to see the used JavaScript code.


EE: <img>

EE: <canvas>

ED: Scalable Vector Graphics (SVG)

EE: <img> and <canvas>

EE: <iframe> <object> and <embed>

ED: JavaScript

EE: <script>

ED: Cascading Style Sheets (CSS)

EE: <link>


EE: <iframe> and Sandboxed <iframe>

Jump to the top