# Same-Origin Policy
Confidence: high
Last verified: 2026-05-22
Generation: human_only


## TL;DR

The Same-Origin Policy (SOP) is a critical web security mechanism restricting how documents and scripts from one origin interact with resources from another origin. Origin = protocol + host + port. SOP prevents malicious websites from reading sensitive data from other sites.

## Core Explanation

SOP restricts: DOM access (a page on origin A cannot read origin B's iframe/document content), XMLHttpRequest/Fetch to different origins (unless CORS permits), and cookie/WebStorage access. It does NOT restrict: embedding resources (`<img>`, `<script>`, `<link>`), form submissions, or redirects. SOP is fundamental to browser security and predates CORS.

## Further Reading

- [Same-Origin Policy (MDN Web Docs)](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy)