Module 13 · Browser Origin Boundaries

Manish Garg
Manish Garg Associate of (ISC)² · RingSafe
Apr 27, 2026
1 min read
Read as

Last updated: April 29, 2026

100% Free

No signup. No paywall. No catch. One of our 10 most-requested practitioner modules — published in full so anyone can learn for free. We earn through consulting, not by gating knowledge.

See all 10 free modules →

Same-Origin Policy is the bedrock of web security. But “origin” has nuances: scheme matters, port matters, path doesn’t. Subdomains aren’t same-origin (they’re same-site, different concept).

Same-Origin Policy is the bedrock of web security. But “origin” has nuances: scheme matters, port matters, path doesn’t. Subdomains aren’t same-origin (they’re same-site, different concept).

CORS is opt-in cross-origin. It carries credentials only with explicit allow. Access-Control-Allow-Origin: * with credentials is invalid. Many implementations get this wrong.

postMessage crosses origins by design. Receiver must validate event.origin — many don’t. Cross-origin XSS via lazy postMessage handlers is common.

Want this for your team?

Custom team training + practitioner advisory

Beyond the free academy — we run private workshops, vCISO advisory, and red-team exercises tailored to your stack. For Indian SMBs scaling past their first hire.

Book team training call Replies in 4 working hrs · India-only · Senior consultants
← Previous · Module 12
Module 12 · The Cookie Confusion Cascade
← Back to Academy Hub
Continue Learning

Other modules in this track

View all modules
Academy
Module 1 · Beginner

Every web vuln is a trust-boundary bug. Learn to see boundaries before learning to exploit them.

Apr 22, 2026 · 4 min read
Academy
Module 2 · Intermediate

Injection isn't about bad input. It's attackers smuggling tokens into an interpreter's grammar.

Apr 22, 2026 · 4 min read
Academy
Module 3 · Intermediate

Authentication is one gate. Authorization is every gate after. Most breaches live in the latter.

Apr 22, 2026 · 4 min read