Browser Security Model Explained: SOP, CORS, XSS, CSRF and How They Work Together

Modern web browsers operate as hostile execution environments where untrusted code from one tab can sit dangerously close to sensitive user sessions in another. The browser's security model — built around policies like Same-Origin Policy (SOP) and Cross-Origin Resource Sharing (CORS) — was designed to counter threats such as session hijacking, cross-site scripting, and cross-site request forgery. SOP restricts how scripts from one origin can interact with resources from another, defined by a combination of protocol, host, and port, though it blocks reading responses rather than sending requests, which is why CSRF attacks remain possible. CORS allows servers to deliberately opt in to cross-origin access via HTTP headers, but a common misconfiguration — reflecting any incoming Origin header back without validation alongside credentials — can completely bypass SOP and expose authenticated data. Understanding these security boundaries is considered essential for developers, as attackers routinely exploit gaps in their implementation to steal user data or hijack sessions.