- Definition: A browser security mechanism that restricts scripts on one origin from accessing data from another origin.
👉 An origin = (scheme + domain + port)
- Example:
https://example.com:443 = Origin Ahttps://example.com:8080 = Origin B (different port → different origin)
✅ Allowed:
- Reading data from same origin.
❌ Blocked:
- A script from
evil.com trying to read data from bank.com.
⚡ Pentesting Relevance
- If SOP is bypassed (via misconfigured CORS), attacker can steal sensitive data.
- Example: Cross-Site Script Inclusion (XSSI) abuses weak SOP boundaries.