Comparison (of SOP and CORS)
| SOP (Same-origin policy) | CORS (Cross-origin resource sharing) | |
|---|---|---|
| What? | A Security feature enforceable by the web browser. | |
| How? | Prevents an origin to read data from another origin. | |
| For all? | Yes. | Depends on the allowed origin list in the HTTP-Header from the web server. |
Gameplan (of modern web browsers)
- Try CORS if that isn’t possible, cause the web server isn’t supporting it, stick to SOP.
Issue (of both mechanisms)
- An origin can still send data to another origin, so be aware of CSRF attacks.