Collaborate Disseminate
Let’s say we run a web app at "example.org". It uses cookies for user authentication.
Our website also has a blog at "example.org/blog", hosted by a third party. Our load balancer routes all requests to "/blog&qu… Continue reading Serving "less trusted" content on the same domain
I’m trying to get 3rd party cookies to work on major mid-year 2020 browsers [1]. It’s as simple as pointing an iframe to an external URL to make a cookied request and probably get the response thereafter (and the external site explicitly … Continue reading Allowing 3rd-party cookies in major 2020 browsers
I know that same-origin-policy is applied by the browser, it does not block requests, it just prevents the website from seeing the answer. But how do browsers really know that the request came from a browser, and not from a script with Pyt… Continue reading How can a browser know that the request came from a browser when SOP is apply? [closed]
I can’t understand why SOP (same-origin policy) cannot block Cross-Origin WebSocket Hijacking, I just read this article and I can’t understand from where WebSocket requests comes from.
From where does WebSocket requests comes from, that SO… Continue reading Why WebSockets doesn’t apply SOP?
I just read about SOP (same origin policy), and I tried to learn this more and learn how it works. I tried to reset my password (In a chat forum) using HTTP Requests in Python, and most of them have captcha, why do websites need captcha wh… Continue reading Why to use captcha when SOP exists? [closed]
For most of them may be its a silly question but I want it to know this in very simple language.
If an application is not using CORS at all then should we put this SameSite cookie attribute?
and if Application has subdomain like abc.doma… Continue reading What is the connection between CORS and SameSite cookie attribute?
I’m trying to do some csrf attack test on a site.
I found that the site protect itself from csrf by checking the http Origin header.
But I guess maybe under some conditions I can bypass the protection. The website just check if the reque… Continue reading How to bypass origin based csrf protection?
Consider a blogging platform – example.com and we want to host untrusted content in subdomain1.example.com and subdomain2.example.com.
By default, same origin policy doesn’t allow communication between these two subdomains. Beyond SOP, wh… Continue reading Ideas for subdomains isolation
I’ve been using CORS for a while and I think I understand it. But as far as I can tell, because the allow-origin header is provided by the server being called, which an attacker can control as they see fit, same origin policy cannot preven… Continue reading With the existance of CORS, what further purpose does same origin policy serve?
Pardon me if I am wrong, however, I am looking for an answer for my understanding that isn’t the concerns regarding CSRF solved by both Samesite cookie and Same-Origin-Policy effectively? Then why is the need for 2 different things?
The b… Continue reading Doesn’t Samesite cookie and Sameorigin policy effectively does the same job?