EVERYTHING
According to Dev, the browser's security model serves as the primary defense against a wide array of malicious activities. Because every open tab can potentially host untrusted code near sensitive banking sessions or private accounts, these security protocols are considered load-bearing walls rather than optional features for modern web architecture.
The core threats to web environments
Security models exist specifically to counter common attack vectors that target user information. Without these protections, malicious actors could easily perform several types of exploits:
- Reading cookies to facilitate session hijacking.
- Making unauthorized requests on behalf of a user via Cross-Site Request Forgery (CSRF).
- Injecting and executing scripts through Cross-Site Scripting (XSS).
- Leaking data through side-channels like timing attacks or Spectre.
- Embedding sites to steal clicks or loading authenticated resources inside malicious pages.
Same-Origin Policy as a foundational shield
The Same-Origin Policy (SOP) is the oldest and most fundamental security mechanism in web browsers. It restricts how documents and scripts from one origin can interact with resources from another. An origin is strictly defined by three components: the protocol, the host, and the port. For instance, a request from https://app.com to http://app.com would be blocked because the protocols differ.
While SOP prevents JavaScript on an evil domain from reading the DOM or cookies of a banking site, it has specific limitations. It does not block the sending of cross-origin requests; it only blocks the ability to read the response. This distinction is why CSRF remains a viable threat, as a form submission can still reach a server even if the attacker cannot see the result.
Managing exceptions with CORS
Cross-Origin Resource Sharing (CORS) acts as a deliberate exception to the SOP, allowing servers to opt-in to specific cross-origin requests via HTTP headers. This is often handled through a handshake process where simple requests go through directly, while preflighted requests—such as those using DELETE methods or custom headers—require an OPTIONS request first.
A common security failure occurs when developers attempt to fix CORS issues by dynamically reflecting the Origin header without proper validation. If a server responds with Access-Control-Allow-Origin: while also allowing credentials, it creates a massive vulnerability. Experts warn that developers must avoid using wildcards and instead implement strict allow-lists to ensure only trusted origins can access sensitive API responses.