Cheat Sheet

SOP - same origin policy
CORS - cross-origin ressource sharing
CSRF/XSRF - cross-site request forgery
(XSS - cross-site scripting)

Same-Origin Policy

"What a web page is allowed to know."
origin = <protocol, hostname, port>

Cross Origin HTTP headers

Access-Control-Allow-Origin: <origin> | *
https://developer.mozilla.org/en-US/docs/Web/HTTP/Access_control_CORS
simple requests vs complicated... preflight

HTTP requests (browser)

XMLHttpRequest (javascript GET, POST, PUT, DELETE, etc.)
- Angular: $http()
- JQuery: $.ajax()
Form submit
<img src="...">, stylesheets, etc.
<script src="...">
- JSONP (JSON with padding; bypass same-origin restrictions; do not use)
Websocket ("TCP connection")
WebRTC ("UDP connection")

Finer Points

Cookies sent as part of a CORS request? (XMLHttpRequest: only if explicitely allowed; FORM SUBMIT: ???)
Secure cookies, "http only" cookies: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#Secure_and_HttpOnly_cookies
Cross-Site Request Forgery (CSRF) Prevention Cheat Sheet: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet