The same origin policy is a wholly client-based restriction, and is primarily en

Question

The same origin policy is a wholly client-based restriction, and is primarily engineered to protect users, not services. All or most browsers include a command-line switch or configuration option to to turn it off. The SOP is like seat belts in a car: they protect the rider in the car, but anyone can freely choose not to use them. Certainly don't expect a person's seat belt to stop them from getting out of their car and attacking you (or accessing your Web service).

Suppose I write a program that accesses your Web service. It's just a program that sends TCP messages that include HTTP requests. You're asking for a server-side mechanism to distinguish between requests made by my program (which can send anything) and requests made by a browser that has a page loaded from a permitted origin. It simply can't be done; my program can always send a request identical to one formed by a Web page.

The same-origin policy was invented because it prevents code from one website from accessing credential-restricted content on another site. Ajax requests are by default sent with any auth cookies granted by the target site. For example, suppose I accidentally load http://evil.com/, which sends a request for http://mail.google.com/. If the SOP were not in place, and I was signed into Gmail, the script at evil.com could see my inbox. If the site at evil.com wants to load mail.google.com without my cookies, it can just use a proxy server; the public contents of mail.google.com are not a secret (but the contents of mail.google.com when accessed with my cookies are a secret).aWhenever I read something or hear someone talking about HTML5, CSS and JavaScript support, they always refer to Internet Explorer with the version number such as Internet Explorer 6, and Internet Explorer 9. But they only refer to Google Chrome, Firefox, Safari and others without version numbers.

Shouldn't they also specify the version number in which certain web technologies are incompatible for other browsers instead of just Internet Explorer?

Explanation / Answer

Well, that mainly has two reasons:

1. IE versions have major differences
While other browsers may have no (obvious) difference between versions, Internet Explorer, being the only browser pre-installed (and basically hard-coded) in Windows, has huge differences from version 6 to version 10. Version 10 is almost as good a browser as Chrome or Firefox, while version 6 is an unreliable, slow, good-for-nothing, over-customized browser still used by some non tech-savvy, and it is incompatible with thousands of features introduced after it was created (that was over a decade ago).
You can see some compatibility examples here.

2. Being pre-installed has an impact on the market
Since IE comes with Windows, and while other OS are gaining up publicity, Windows has been the default for thousands (if not millions) of people, for a long time. Since these people hire programmers to do stuff, like make their websites, programmers are forced to make it look good on the client's screen, even if that doesn't always target the largest audience.

Of course, most of us are trying to have a good result on both the client's screen and their clients' screens, but that isn't always easy, if our client has IE 6. (And believe me: some of them will think that you are not a good developer if you ask them to change their browser)

So, in conclusion, we tend to always refer to IE with its version, because it does mean something different for development.

Related Questions

Navigate

• Browse (All)
• Browse T
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.