Same-Origin Policy

Web browsers prevent certain types of AJAX requests, such as requests to other web sites.

The same-origin policy is a critical security mechanism that restricts how a document or a script loaded from one origin can interact with a resource from another origin. It helps isolate potentially malicious documents, reducing possible attack vectors.

Two URLs have the same origin if the following are the same for both:

1. protocol
2. host (i.e. domain or sub-domain)
3. port (if specified)

Comparison Examples:
The following list gives examples of origin comparisons with the URL http://store.company.com/dir/page.html:

• http://store.company.com/dir2/other.html Same origin!
• http://store.company.com/dir/inner/another.html Same origin!
• https://store.company.com/page.html Failure..
• http://store.company.com:81/dir/page.html Failure..
• http://news.company.com/dir/page.html Failure..
• http://store.website.com/dir/page.html Failure..

Workarounds

1. Web Proxy – Web proxy on your server that talks to other servers to retrieve data for you.
2. JSON with Padding (JSONP) – A method for sending JSON data using the <script> tag instead of the XMLHttpRequest object.
3. Cross-Origin Resource Sharing (CORS) – A mechanism that allows restricted resources on a web page to be requested from another domain outside the domain from which the first resource was served. Similar to how CDNs work, a web page may freely embed cross-origin images, stylesheets, scripts, iframes, and videos.