"The last few years have seen a constant rise in
vulnerabilities like cross-site scripting (XSS), HTTP response
splitting, and cross-site request forgery (XSRF or CSRF). While the
vectors and exploit of each of these vulnerability classes vary, they
all have one common thread. Each of these vulnerabilities exploits
trust shared between a user and a website by circumventing the same
basic protection mechanism: the same-origin policy.
In my experience most developer’s and even many security
people–don’t really know what the same-origin policy is. Worse yet,
the rise of AJAX and mash-ups seems to have turned same-origin into
something developers are trying to break. Complicating the issue
further are the weaknesses in most browser’ implementations of
same-origin, leaving open questions about the effectiveness of the
policy itself. So, I’ve decided to try and capture all of the
information surrounding same-origin in one place. I also have my own
thoughts on the value of the model itself, but I’ll save those for the
end.
" – TAOSSA
Article Link: http://taossa.com/index.php/2007/02/08/same-origin-policy/
