Same Origin Policy & CORS
- SOP prevents documents or scripts loaded from one origin (e.g. a domain) to access resources from other origins
- for all requests, browsers always and automatically attach any cookies bounded for the destination domain.
- two origins are equal if they have the same protocol, host, and port. known as the “scheme/host/port” tuple
- CORS is not a security mechanism but a way to relax security. makes it possible to access resources from foreign origins
- SOP doesn’t apply to server-to-server communication, only to browser-to-server comms. Because of this you can use a proxy server to circumvent the SOP protections