SOP stands for same origin policy. It's basically a security mechanism that is implemented by the browser. This is important to know for later but we will go much deeper into the topic.
First of all we need to determine what exactly SOP is and why we use it. Only then can we try to get around the restrictions that are put in place and we will even talk a bit about CORS since it's related to SOP
SOP is a mechanism that is trying to prevent attackers like us from executing javascript on the computer of the target. It will do this by checking the origin of the scripts and only of the origin of the script matches the origin of the website that is under attack will the script be executed.
The definition of firefox is very vague so we left it out of this document but you can look it up if you want and you will see how hard it is to understand.
First we need to talk a bit about origin.
<http://www.example.com:80/test>
In this example our origin would be http://www.example.com:80 this would be because it contains the protocol (http) and also the domain (google.com) and the port (80) if applicable (usually websites are hosted on port 80 so usually it won't be displayed but the browser does use port 80 for HTTP and 443 for HTTPS in the background.)
The path (/test) is not part of the origin in this case. This is important to know for later.
<https://www.example.com:443/test>
<http://www.example.com:80/test> - Protocol and port don't match
<https://www.example.nl:443/test> - domain is wrong
<https://www.example.com:8080/test> - The port doesn't match
The above examples do not have the same origin.
Same origin policy will check if the origin of the script to be executed matches the origin of the target. This will increase the security but also the complexity of the security solution which leaves some room for use hackers to possible find ways around SOP which we will talk about later.
What's important to know is that SOP is implemented on the browser level so the response will not be shared across domains.
As you can see in the image below the server will send a response since we don't implement SOP on the server but in the browser. When the request arrives at the browser it will be blocked out by the SOP mechanism of the victim.
I've been talking about scripts a lot but resources can be much more than just scripts. SOP checks the following resources: