CORS vs SOP: Why Your Browser Blocks Cross-Origin Requests (And When It Doesn’t)

CORS & SOP: Backbone of web security | by PriOFF - Freedium Milestone: 20GB Reached We’ve reached 20GB of stored data — thank you for helping us grow! Patreon Ko-fi Liberapay Close < Go to the original CORS & SOP: Backbone of web security Most users ignore SOP and CORS. Attackers don't. See how these silent rules protect — or expose — your web data. PriOFF Follow ~8 min read · February 1, 2026 (Updated: February 1, 2026) · Free: Yes Whenever you are testing a website for cross-domain attacks such as XSS, CSRF, Clickjacking, etc. you must encounter with CORS, SOP and CSPs. Most of the cross-origin attacks becomes successful just becuase of miscofigured CORS and CSPs. So, understanding These things are the backbone knowledge of Cross-domain attacks. And for that reason, i will cover, What are SOP and CORS? History of SOP Why CORS exists? What causes vulnerabilities? How they help protect oursleves? Roles of SOP and CORS in cross-domain attacks? How to prevent CORS-based attacks? Let's start with the just a normal short explaination. CORS, SOP and CSPs are Web browser security mechanisms that protects user and data . These web browser security mechanisms helps to prevent cross-site attacks such as Cross-site Scripting , CSRF , Clickjacking , etc. CORS & SOP both are connected to each other, in such a way, that if we want to understand what is CORS then first we have to understand SOP. Meanwhile, CSP is a vast topic, Therefore i will cover that in upcoming blogs. What is Origin? There are mainly three things are considered when we talk about the Origin: Protocol (Schema): Protocol used in the url (i.e. http, https, etc.) Domain: Actual domain (They also include subdomains ) ie. google.com. Port: Port number (if port is not showing in URL, the port number for those URLs considered as: 80 ) If any URLs in which these three things are same, they will be considered as Same Origins. Defining Origin Exmaples of Origins What is SOP? SOP is a Web browser security mechanism . Yes, you heard right! Most people misunderstood SOP and CORS . They think that SOP or CORS is just a rule or security mechanism inforced by the server. But in reality they are inforced by a web browser and they are more then just a rule . Stands for Same-Origin Policy. It is restrictive cross-origin specification that limits the ability for a website to interact with resources outside of the source domain. It allows a domain to issue requests to other domains, but not to access the responses. History of Same-Origin Policy (SOP) The Same-Origin Policy (SOP) was introduced by Netscape Navigator 2.02 in 1995 to prevent malicious scripts on one website from accessing sensitive data, such as cookies or DOM elements , on another site. It was created as a preventative measure following the introduction of JavaScript and the first cross-site scripting (XSS) attacks. Evolution: Originally focused on DOM access, the SOP expanded to cover Cookies, LocalStorage, and XMLHttpRequests/AJAX requests, ensuring that scripts can only access data from the same origin. Exceptions: While SOP blocks most interactions, it allows certain cross-origin actions, such as embedding images ( ), scripts (