Understanding the Uses of Same Origin Policy (SOP)
I am trying to understand what use cases exist for the use of Same Origin Policy (SOP).
SOP prevents a document or script loaded from one origin to interact with a resource from another origin.
Everywhere. Otherwise if you visited my website example.com I would be able to read your Gmail if you were logged in at the time from the same browser.
Correct: They won’t be subject to any restrictions by the SOP.
Not true. If those scripts include other scripts (e.g. a document.write of a script tag – <script src=”https://example.edu/foo.js”></script>) then those scripts will be under your website’s origin too. If you include another domain’s scripts under your own site, then you are giving full access to your origin to that domain.
Not true. The SOP does not stop a cross-domain AJAX request from being made – it simply stops it from being read.
Yes, for example the SOP prevents frames, IFrames and windows from cross communicating across domains. Check out MDN for a full explanation of the SOP.