What can "Same Origin Policy" buy us?

Question

Same Origin Policy(SOP) is often mentioned together with Cross Site Scripting(XSS). But it seems that in the world with SOP, XSS still happens from time to time. So I am never clear about what exactly kind of attacks do Same Origin Policy prevent? In other words, imagine a world without SOP, what other power a malicious attacker could gain compared to the real world with SOP?

I read on this website(http://security.stackexchange.com/questions/8264/why-is-the-same-origin-policy-so-important) that "Assume you are logged into Facebook and visit a malicious website in another browser tab. Without the same origin policy JavaScript on that website could do anything to your Facebook account that you are allowed to do.". This actually makes me even more confused because I have never heard of any mechanism for webpage in one tab manipulating other tabs even from the same domain. It is also mentioned (more explicitly) here (http://javascript.info/tutorial/same-origin-security-policy) that SOP prevents script in one window to manipulate DOM elements in another window. But I really cannot relate the example to what is explained (what does window mean here? it seems that the example is talking about iframe).

To sum up, can anyone give some concrete examples of what can happen if there were no SOP?

Also, I am curious about how script in one window can manipulate DOM elements in another window assuming the two window are from the same domain. But this is not the main course of this question

Thank you!

Answer 1

I have never heard of any mechanism for webpage in one tab manipulating other tabs [...] it seems that the example is talking about iframe

iframe is the easiest but not the only way of getting cross-window scripting. Another way to do it would be for the attacker page to window.open a document from facebook.com into a new tab. Because open returns a handle to the tab's window object, it is possible for script in one tab to interact with content in another tab.

Without the SOP, that script could fill in and submit forms in that tab on your behalf.

XSS still happens from time to time. So I am never clear about what exactly kind of attacks do Same Origin Policy prevent?

Without SOP, every web page is vulnerable to XSS and no-one can ever be secure.

With SOP, web pages are secure against XSS unless their authors make a mistake. XSS still happens from time to time because site authors do, unfortunately, make mistakes.

Answer 2

One example: for malicious web page it would be possible to make some javascript ajax requests to other web page where the user is already logged in the user's context. This other page would assume that the request comes from authorized user. For example malicius script could make some ajax calls to Facebook and post new status or to bank transaction service and make a transfer if only the user is logged in to Facebook or his bank. People usually open many pages in browser tabs at the same time, so it would be very probable that someone browsing the malicious web page is at the same time logged to some sensitive service that could be hacked that way.