Web Security: Same-Origin Policies

Same-origin policies play an important role in web security, to protect data. In this course, learn how to develop secure, interactive sites.

Introduction

• Working with browser security features
• What you should know
• Set up your environment
• Configure servers for testing

1. Basics of Same-Origin Policies

• Understanding same-origin policies
• Defining an origin
• Cross-site scripting attacks
• Cross-site request forgery attacks

2. Securing Shared Data with CORS Restrictions

• Cross-origin resource sharing
• Create a permissive Access-Control-Allow-Origin header
• Create a tailored Access-Control-Allow-Origin header

3. Securing Sites with a Content Security Policy

• The Content-Security-Policy header
• Build a Content Security Policy header
• Create a Content Security Policy meta element
• Create a Content Security Policy for a widget
• Create a highly restrictive Content Security Policy

4. Securing Communication with Transport Security

• The Strict-Transport-Security header
• Implement the Strict-Transport-Security header
• Include subdomains in Strict-Transport-Security
• Add a domain to the Strict-Transport-Security preload list

5. Communicating Securely across Browser Windows

• Code that communicates across windows
• Implement the postMessage method
• Work with a received message
• Specify the target domain for a message
• Specify the allowed message sender origin
• Use cross-window data in an app

6. Securing Cookies

• How cookie origins are defined
• Restrict a cookie to a subdomain
• Share cookies across subdomains
• Restrict the path of a cookie
• Limit a cookie to the same site
• Work with server-only cookies

Conclusion

• Next steps