diff options
Diffstat (limited to 'files/pt-pt/web/security/same-origin_policy/index.html')
| -rw-r--r-- | files/pt-pt/web/security/same-origin_policy/index.html | 263 |
1 files changed, 263 insertions, 0 deletions
diff --git a/files/pt-pt/web/security/same-origin_policy/index.html b/files/pt-pt/web/security/same-origin_policy/index.html new file mode 100644 index 0000000000..a6ebc31ad6 --- /dev/null +++ b/files/pt-pt/web/security/same-origin_policy/index.html @@ -0,0 +1,263 @@ +--- +title: Same-origin policy +slug: Web/Seguranca/Same-origin_policy +translation_of: Web/Security/Same-origin_policy +--- +<div>{{QuickLinksWithSubpages("/en-US/docs/Web/Security")}}</div> + +<p><span class="seoSummary">The <strong>same-origin policy</strong> is a critical security mechanism that restricts how a document or script loaded from one {{Glossary("origin")}} can interact with a resource from another origin.</span> It helps isolate potentially malicious documents, reducing possible attack vectors.</p> + +<p>Definição de uma Origem</p> + +<p>Duas URL tem a mesma origem se o {{Glossary("protocol")}}, {{Glossary("port")}} (if specified), and {{Glossary("host")}} are the same for both. You may see this referenced as the "scheme/host/port tuple", or just "tuple". (A "tuple" is a set of items that together comprise a whole — a generic form for double/triple/quadruple/quintuple/etc.)</p> + +<p>The following table gives examples of origin comparisons with the URL <code>http://store.company.com/dir/page.html</code>:</p> + +<table class="standard-table"> + <tbody> + <tr> + <th>URL</th> + <th>Outcome</th> + <th>Reason</th> + </tr> + <tr> + <td><code>http://store.company.com/dir2/other.html</code></td> + <td>Same origin</td> + <td>Only the path differs</td> + </tr> + <tr> + <td><code>http://store.company.com/dir/inner/another.html</code></td> + <td>Same origin</td> + <td>Only the path differs</td> + </tr> + <tr> + <td><code>https://store.company.com/page.html</code></td> + <td>Failure</td> + <td>Different protocol</td> + </tr> + <tr> + <td><code>http://store.company.com:81/dir/page.html</code></td> + <td>Failure</td> + <td>Different port (<code>http://</code> is port 80 by default)</td> + </tr> + <tr> + <td><code>http://news.company.com/dir/page.html</code></td> + <td>Failure</td> + <td>Different host</td> + </tr> + </tbody> +</table> + +<h3 id="Inherited_origins">Inherited origins</h3> + +<p>Scripts executed from pages with an <code>about:blank</code> or <code>javascript:</code> URL inherit the origin of the document containing that URL, since these types of URLs do not contain information about an origin server.</p> + +<div class="note"> +<p>For example, <code>about:blank</code> is often used as a URL of new, empty popup windows into which the parent script writes content (e.g. via the {{domxref("Window.open()")}} mechanism). If this popup also contains JavaScript, that script would inherit the same origin as the script that created it.</p> +</div> + +<div class="warning"> +<p><code>data:</code> URLs get a new, empty, security context.</p> +</div> + +<h3 id="Exceptions_in_Internet_Explorer">Exceptions in Internet Explorer</h3> + +<p>Internet Explorer has two major exceptions to the same-origin policy:</p> + +<dl> + <dt>Trust Zones</dt> + <dd>If both domains are in the <em>highly trusted zone</em> (e.g. corporate intranet domains), then the same-origin limitations are not applied.</dd> + <dt>Port</dt> + <dd>IE doesn't include port into same-origin checks. Therefore, <code>https://company.com:81/index.html</code> and <code>https://company.com/index.html</code> are considered the same origin and no restrictions are applied.</dd> +</dl> + +<p>These exceptions are nonstandard and unsupported in any other browser.</p> + +<h2 id="Changing_origin">Changing origin</h2> + +<p>A page may change its own origin, with some limitations. A script can set the value of {{domxref("document.domain")}} to its current domain or a superdomain of its current domain. If set to a superdomain of the current domain, the shorter superdomain is used for same-origin checks.</p> + +<p>For example, assume a script from the document at <code>http://store.company.com/dir/other.html</code> executes the following:</p> + +<pre class="brush: js notranslate">document.domain = "company.com"; +</pre> + +<p>Afterward, the page can pass the same-origin check with <code>http://company.com/dir/page.html</code> (assuming <code>http://company.com/dir/page.html</code> sets its <code>document.domain</code> to "<code>company.com</code>" to indicate that it wishes to allow that - see {{domxref("document.domain")}} for more). However, <code>company.com</code> could <strong>not</strong> set <code>document.domain</code> to <code>othercompany.com</code>, since that is not a superdomain of <code>company.com</code>.</p> + +<p>The port number is checked separately by the browser. Any call to <code>document.domain</code>, including <code>document.domain = document.domain</code>, causes the port number to be overwritten with <code>null</code>. Therefore, one <strong>cannot</strong> make <code>company.com:8080</code> talk to <code>company.com</code> by only setting <code>document.domain = "company.com"</code> in the first. It has to be set in both so their port numbers are both <code>null</code>.</p> + +<div class="note"> +<p><strong>Note:</strong> When using <code>document.domain</code> to allow a subdomain to access its parent securely, you need to set <code>document.domain</code> to the <em>same value</em> in both the parent domain and the subdomain. This is necessary even if doing so is simply setting the parent domain back to its original value. Failure to do this may result in permission errors.</p> +</div> + +<h2 id="Cross-origin_network_access">Cross-origin network access</h2> + +<p>The same-origin policy controls interactions between two different origins, such as when you use {{domxref("XMLHttpRequest")}} or an {{htmlelement("img")}} element. These interactions are typically placed into three categories:</p> + +<ul> + <li>Cross-origin <em>writes</em> are typically allowed. Examples are links, redirects, and form submissions. Some HTTP requests require <a href="/en-US/docs/Web/HTTP/CORS#Preflighted_requests">preflight</a>.</li> + <li>Cross-origin <em>embedding</em> is typically allowed. (Examples are listed below.)</li> + <li>Cross-origin <em>reads</em> are typically disallowed, but read access is often leaked by embedding. For example, you can read the dimensions of an embedded image, the actions of an embedded script, or the <a class="external" href="https://bugzilla.mozilla.org/show_bug.cgi?id=629094">availability of an embedded resource</a>.</li> +</ul> + +<p>Here are some examples of resources which may be embedded cross-origin:</p> + +<ul> + <li>JavaScript with <code><script src="…"></script></code>. Error details for syntax errors are only available for same-origin scripts.</li> + <li>CSS applied with <code><link rel="stylesheet" href="…"></code>. Due to the <a class="external" href="https://scarybeastsecurity.blogspot.com/2009/12/generic-cross-browser-cross-domain.html">relaxed syntax rules</a> of CSS, cross-origin CSS requires a correct <code>Content-Type</code> header. Restrictions vary by browser: <a class="external" href="https://docs.microsoft.com/en-us/previous-versions/windows/internet-explorer/ie-developer/compatibility/gg622939(v=vs.85)?redirectedfrom=MSDN">Internet Explorer</a>, <a class="external" href="https://www.mozilla.org/en-US/security/advisories/mfsa2010-46/">Firefox</a>, <a class="external" href="https://bugs.chromium.org/p/chromium/issues/detail?id=9877">Chrome</a> , <a class="external" href="https://support.apple.com/kb/HT4070">Safari</a> (scroll down to CVE-2010-0051) and <a class="external" href="https://security.opera.com/cross-domain-data-theft-with-css-load-opera-security-advisories/">Opera</a>.</li> + <li>Images displayed by {{htmlelement("img")}}.</li> + <li>Media played by {{htmlelement("video")}} and {{htmlelement("audio")}}.</li> + <li>External resources embedded with {{htmlelement("object")}} and {{htmlelement("embed")}}.</li> + <li>Fonts applied with {{cssxref("@font-face")}}. Some browsers allow cross-origin fonts, others require same-origin.</li> + <li>Anything embedded by {{htmlelement("iframe")}}. Sites can use the {{HTTPHeader("X-Frame-Options")}} header to prevent cross-origin framing.</li> +</ul> + +<h3 id="How_to_allow_cross-origin_access">How to allow cross-origin access</h3> + +<p>Use <a href="/en-US/docs/Web/HTTP/CORS">CORS</a> to allow cross-origin access. CORS is a part of {{Glossary("HTTP")}} that lets servers specify what hosts are permitted to load content from that server.</p> + +<h3 id="How_to_block_cross-origin_access">How to block cross-origin access</h3> + +<ul> + <li>To prevent cross-origin writes, check an unguessable token in the request — known as a <a class="external" href="https://owasp.org/www-community/attacks/csrf">Cross-Site Request Forgery (CSRF)</a> token. You must prevent cross-origin reads of pages that require this token.</li> + <li>To prevent cross-origin reads of a resource, ensure that it is not embeddable. It is often necessary to prevent embedding because embedding a resource always leaks some information about it.</li> + <li>To prevent cross-origin embeds, ensure that your resource cannot be interpreted as one of the embeddable formats listed above. Browsers may not respect the <code>Content-Type</code> header. For example, if you point a <code><script></code> tag at an HTML document, the browser will try to parse the HTML as JavaScript. When your resource is not an entry point to your site, you can also use a CSRF token to prevent embedding.</li> +</ul> + +<h2 id="Cross-origin_script_API_access">Cross-origin script API access</h2> + +<p>JavaScript APIs like {{domxref("HTMLIFrameElement.contentWindow", "iframe.contentWindow")}}, {{domxref("window.parent")}}, {{domxref("window.open")}}, and {{domxref("window.opener")}} allow documents to directly reference each other. When two documents do not have the same origin, these references provide very limited access to {{domxref("Window")}} and {{domxref("Location")}} objects, as described in the next two sections.</p> + +<p>To communicate between documents from different origins, use {{domxref("window.postMessage")}}.</p> + +<p>Specification: <a class="external" href="https://html.spec.whatwg.org/multipage/browsers.html#cross-origin-objects">HTML Living Standard § Cross-origin objects</a>.</p> + +<h3 id="Window">Window</h3> + +<p>The following cross-origin access to these <code>Window</code> properties is allowed:</p> + +<table class="fullwidth-table standard-table"> + <thead> + <tr> + <th scope="col">Methods</th> + </tr> + </thead> + <tbody> + <tr> + <td>{{domxref("window.blur")}}</td> + </tr> + <tr> + <td>{{domxref("window.close")}}</td> + </tr> + <tr> + <td>{{domxref("window.focus")}}</td> + </tr> + <tr> + <td>{{domxref("window.postMessage")}}</td> + </tr> + </tbody> +</table> + +<table class="fullwidth-table standard-table"> + <thead> + <tr> + <th scope="col">Attributes</th> + <th scope="col"></th> + </tr> + </thead> + <tbody> + <tr> + <td>{{domxref("window.closed")}}</td> + <td>Read only.</td> + </tr> + <tr> + <td>{{domxref("window.frames")}}</td> + <td>Read only.</td> + </tr> + <tr> + <td>{{domxref("window.length")}}</td> + <td>Read only.</td> + </tr> + <tr> + <td>{{domxref("window.location")}}</td> + <td>Read/Write.</td> + </tr> + <tr> + <td>{{domxref("window.opener")}}</td> + <td>Read only.</td> + </tr> + <tr> + <td>{{domxref("window.parent")}}</td> + <td>Read only.</td> + </tr> + <tr> + <td>{{domxref("window.self")}}</td> + <td>Read only.</td> + </tr> + <tr> + <td>{{domxref("window.top")}}</td> + <td>Read only.</td> + </tr> + <tr> + <td>{{domxref("window.window")}}</td> + <td>Read only.</td> + </tr> + </tbody> +</table> + +<p>Some browsers allow access to more properties than the above.</p> + +<h3 id="Location">Location</h3> + +<p>The following cross-origin access to <code>Location</code> properties is allowed:</p> + +<table class="fullwidth-table standard-table"> + <thead> + <tr> + <th scope="col">Methods</th> + </tr> + </thead> + <tbody> + <tr> + <td>{{domxref("location.replace")}}</td> + </tr> + </tbody> +</table> + +<table class="fullwidth-table standard-table"> + <thead> + <tr> + <th scope="col">Attributes</th> + <th scope="col"></th> + </tr> + </thead> + <tbody> + <tr> + <td>{{domxref("URLUtils.href")}}</td> + <td>Write-only.</td> + </tr> + </tbody> +</table> + +<p>Some browsers allow access to more properties than the above.</p> + +<h2 id="Cross-origin_data_storage_access">Cross-origin data storage access</h2> + +<p>Access to data stored in the browser such as <a href="/en-US/docs/Web/API/Web_Storage_API">Web Storage</a> and <a href="/en-US/docs/Web/API/IndexedDB_API">IndexedDB</a> are separated by origin. Each origin gets its own separate storage, and JavaScript in one origin cannot read from or write to the storage belonging to another origin.</p> + +<p>{{glossary("Cookie", "Cookies")}} use a separate definition of origins. A page can set a cookie for its own domain or any parent domain, as long as the parent domain is not a public suffix. Firefox and Chrome use the <a class="external" href="https://publicsuffix.org/">Public Suffix List</a> to determine if a domain is a public suffix. Internet Explorer uses its own internal method to determine if a domain is a public suffix. The browser will make a cookie available to the given domain including any sub-domains, no matter which protocol (HTTP/HTTPS) or port is used. When you set a cookie, you can limit its availability using the <code>Domain</code>, <code>Path</code>, <code>Secure</code>, and <code>HttpOnly</code> flags. When you read a cookie, you cannot see from where it was set. Even if you use only secure https connections, any cookie you see may have been set using an insecure connection.</p> + +<h2 id="See_also">See also</h2> + +<ul> + <li><a href="https://www.w3.org/Security/wiki/Same_Origin_Policy">Same Origin Policy at W3C</a></li> + <li><a href="https://web.dev/secure/same-origin-policy">Same-origin policy at web.dev</a></li> +</ul> + +<div class="originaldocinfo"> +<h2 id="Original_Document_Information" name="Original_Document_Information">Original Document Information</h2> + +<ul> + <li>Author(s): Jesse Ruderman</li> +</ul> +</div> |