Saturday, 1 March 2014

More about security: Same-Origin Policy

In this topic I am going to talk about same-origin policy. In one of the previous posts I talked about AJAX (i.e., a method to communicate with the server without the need to refresh the whole web page page); Now one question that may arise is that:

'What if someone sends many AJAX requests to a login script in a website (e.g., Facebook, Yahoo! etc.) and try all different combinations of usernames and passwords to hack into users accounts?'

Fortunately, for security reasons modern-day client-side languages such as JavaScript do not allow AJAX requests to be sent from a script to another script on a different domain. For example, in order to send AJAX requests to "" (Script that handles user log-ins to you need to have your own script put on the '' domain. In other words, you can only send AJAX requests to scripts that are located on the same domain where your own file (script) is located. This rule is known as same-origin policy.

However, it does not end all here. What if you are one of the creators of programming languages such as JavaScript? or what if you can somehow manipulate these languages or create a new browser-side language that can violate this policy?

If you did not already know, you should know that your information in the world wide web it is by no means secure ...

No comments:

Post a Comment