Same-Origin Policy (SOP)

The Same-Origin Policy (SOP) is a browser security mechanism that restricts how a documents or scripts loaded from one origin can interact with a resource from another origin. It is a critical security mechanism for isolating potentially malicious documents.

This means that a script can only access resoures from the same origin (same protocol, same host, and same port).

Cross-Origin Resource Sharing (CORS)

Cross-Origin Resource Sharing (CORS) is a mechanism that uses additional HTTP headers to tell browsers to give a web application running at one origin, access to selected resources from a different origin.

This is required to provide access to resources from different origins blocked by the SOP. Headers are used to specify what is allowed to be accessed from which origin.

Content Security Policy (CSP)

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks.

CSP can be used to lift specific restrictions imposed by the SOP. CSP is defined using the Content-Security-Policy HTTP header or the HTML <meta http-equiv="Content-Security-Policy" content="..."/> tag.

Some of the policies that can be defined are:

  • default-src: Defines the default policy for fetching resources.
  • script-src: Defines valid sources for JavaScript.
  • style-src: Defines valid sources for stylesheets.
  • img-src: Defines valid sources for images.
  • connect-src: Defines valid sources for XMLHttpRequest, WebSocket, and EventSource.
  • font-src: Defines valid sources for fonts.
  • object-src: Defines valid sources for the <object>, <embed>, and <applet> elements.
  • media-src: Defines valid sources for the <audio> and <video> elements.
  • frame-src: Defines valid sources for the <frame> and <iframe> elements.
  • child-src: Defines valid sources for web workers and nested browsing contexts loaded using elements such as <frame> and <iframe>.
  • form-action: Defines valid sources that can be used as the target of a form submissions from a <form> element.
  • and many more

Allowed sources for each policy can be defined using:

  • *: Matches any URL.
  • 'none': Prevents loading any assets.
  • 'self': Matches the current origin.
  • sub.domain.com: Matches the specified domain exactly.
  • *.domain.com: Matches any subdomain of the specified domain.
  • 'unsafe-inline': Allows the use of inline resources, such as inline <script> elements, javascript: URLs, inline event handlers, and inline <style> elements.
  • 'unsafe-eval': Allows the use of eval() and similar methods for creating code from strings.
  • data:: Allows the use of data: URIs.
  • https:: Allows the use of HTTPS URLs.
  • and many more

Subresource Integrity (SRI)

Subresource Integrity (SRI) is a security feature that allows browsers to verify resources they fetch. It works by allowing you to provide a cryptographic hash that a fetched resource must match. When the resource does not match the hash, it is blocked.

Example

To calculate the hash of a file, run the following command:

  echo "sha384-$(openssl dgst -sha384 -binary < FILENAME.js | openssl base64 -A)"

In the browser you can then use the following code to verify the integrity of the file:

  <script src="FILENAME.js" integrity="sha384-..." crossorigin="anonymous"></script>

Secure DNS (DNSSEC)

DNSSEC is a security extension to the DNS protocol. It allows DNS clients to verify that the DNS response they received is authentic and has not been tampered with. It works by adding cryptographic signatures to DNS records.

There are a couple of root signing keys which are used to sign the top-level domain records. The top-level domain keys are then used to sign the second-level domain keys (and so on). These signatures are then verified by the client.

DNSSEC protects against DNS spoofing attacks.

HTTP Strict Transport Security (HSTS)

HTTP Strict Transport Security (HSTS) is a security feature that allows websites to enforce HTTPS. It works by allowing websites to send a special header to the browser. The browser will then only connect to the website via HTTPS. Certificate errors lead to a connection error. This prevents attackers from downgrading the connection to HTTP.

HSTS Preload

HSTS does not work on the first connection to the website (the HSTS headers are only sent in the first response). This means that the first connection can still be downgraded to HTTP. To prevent this, browsers ship with a list of websites that are known to support HSTS. This list is called the HSTS preload list (https://hstspreload.org/).

Newer Technologies

DNS-based Authentication of Named Entities (DANE)

DNS-based Authentication of Named Entities (DANE) is a security extension to the DNS protocol. It allows DNS clients to verify that the TLS certificate they received is authentic and has not been tampered with.

Most browsers do not yet support DANE. Plugins are available for some browsers.

Obsolete Technologies

HTTP Public Key Pinning (HPKP)

HTTP Public Key Pinning (HPKP) is a security feature that allows websites to enforce HTTPS. It works by allowing websites to send a special header to the browser. It works similar to HSTS, but instead of allowing any certificate, it only allows a specific set of certificates.