Same-Origin Policy Testing Tool

The term Same-Origin Policy (SOP) is used to denote a complex set of rules that govern the interaction of different Web Origins within a web application. A subset of these SOP rules controls the interaction between the host docu- ment and an embedded document, and this subset is the target of our research (SOP-DOM). In contrast to other important concepts like Web Origins (RFC 6454) or the Document Object Model (DOM), there is no formal specification of the SOP-DOM.

We show that in addition to Web Origins, access rights granted by SOP-DOM depend on at least three attributes: the type of the embedding element (EE), and sandbox and CORS attributes. We set a new context for the scientific dis- cussion of SOP-DOM by describing it in terms of read, write, and execute rights in an Attribute-Based Access Control (ABAC) model. With our testbed, we systematically veri- fied our model against the SOP implementations of ten mod- ern browsers by looking on more than 500 different ABAC test cases. We detected different browser behaviors in 23% of the executed tests.

SOP Tool: Based on your currently used browser, this tool automatically evaluates SOP restriction tables that are based on our formal ABAC model. Please click on the buttons to open or hide each table. You can hover on the r/w/x cells to see the used JavaScript code.


EE: <img>

EE: <canvas>

ED: Scalable Vector Graphics (SVG)

EE: <img> and <canvas>

EE: <iframe> <object> and <embed>

ED: JavaScript

EE: <script>

ED: Cascading Style Sheets (CSS)

EE: <link>


EE: <iframe> and Sandboxed <iframe>

Jump to the top