- A cookie is included with every request to the domain on which it was defined—regardless of the origin of the page issuing the request.
- A cookie can be set as Secure, meaning that it will only be sent by the browser over HTTPS.
- If the domain for a cookie is set to .mydomain.com, it will be sent with requests to any subdomain at mydomain.com.
- Cookies should be signed by the server in order prevent them from being altered by anyone other than the server (this doesn't prevent anyone from reading the contents of the cookies, just from anyone tampering with them; the secret used to sign cookies in Rails is in config/initializers/secret_token.rb).
- Subdomains count as different origins.
- HTTP and HTTPS versions of the same page count as different origins.
- Communication with iframes abides by the same rules, though there are mechanisms for allowing cross origin communication here as well (postMessage, sandbox warning: if nothing else, I hope what I say tonight shows you that you need to be extremely careful with such things!)
XSS (Cross-Site Scripting)
CSRF (Cross-Site Request Forgery)
The Same Origin Policy prevents the attacker from receiving any data back from the site, so the attacker is limited to attacks that rely on changing something on the server rather than retrieving something directly from the server.
Subdomains & CSRF Tokens
Egor Homakov (famous for a particular commit to Rails) discovered a way to hijack CSRF tokens in Webkit browsers on sites that enable user generated content to be displayed on subdomains of the main site (Github pages were susceptible to this, so they moved Github Pages to Github.io). It was this article, and Egor's proposed solution of page boxing that inspired subdomain boxing.