The same origin policy, which is enforced by Web browsers, limits JavaScript in a document loaded from one origin from accessing data from another origin. The limitation can be relaxed using the CORS protocol.
The same origin policy is an important security concept for a number of browser-side programming languages, such as JavaScript. The policy prevents (by default) pages interacting with resources from a different origin. They are means to work around this such as using mechanisms that grant permission, data formats that aren't subject to the policy and intermediary servers, and — most significantly, the CORS protocol.
This mechanism bears a particular significance for modern web applications that extensively depend on HTTP cookies to maintain authenticated user sessions, as servers act based on the HTTP cookie information to reveal sensitive information or take state-changing actions. A strict separation between content provided by unrelated sites must be maintained on client side to prevent the loss of data confidentiality or integrity.
See also:
- MDN: Same origin policy for JavaScript, CORS
- Wikipedia: Same origin policy
- Stack Overflow: Ways to circumvent the same-origin policy
- Related tags: cors cross-domain
