Same-Origin Policy probe (expected failures)
Attempt parent DOM, storage, and cookie access to see exactly what SOP blocks and what it still allows.
Behavior by sandbox policy
| Policy | Expected result |
|---|---|
| No sandbox | blocked |
sandbox="allow-scripts" | blocked |
sandbox="" (strictest) | blocked |
This scenario is blocked directly by Same-Origin Policy, independent of sandbox.
Embed snippet
This snippet uses the dedicated embed page. Paste it into your own service and check rendering or blocking behavior.
<iframe src="https://xss-playground.com/embed/sop-probe?lang=en" title="XSS Playground - Same-Origin Policy probe (expected failures)" width="600" height="420" loading="lazy" referrerpolicy="strict-origin-when-cross-origin"></iframe>
This page verifies the things that should fail. Every direct parent access should be blocked. Some probes can succeed if embedded same-origin.
Run
// no logs
Explanation
- A cross-origin iframe cannot directly read the parent's DOM, storage, or cookies. This is the area SOP truly protects.
- By contrast,
parent.locationwrites,parent.postMessage, form submit, and sending fetch requests may still be allowed cross-origin. - The risk surface of cross-origin iframes is often user deception, message-handler abuse, and automatic requests rather than direct parent-data theft.