Many of the important security mechanisms that browsers enforce rely on the domain name of the content being served. The concept of the “same origin policy” enforces a policy where client-side code from two different domains cannot directly interact with each other. In other words, the same origin policy prevents client-side code served from http://www.evil.com from interacting with client-side code served from http://www.bank.com.

Perhaps one of the simplest examples of insecure content ownership is an application that allows a user to upload an HTML page. Assume that an application at http://www.example.com/ allows users to upload an HTML file to an uploads folder (http://www.example.com/uploads/). Also assume that an attacker uploads a file called evil.html onto this location. When a user requests http://www.example.com/uploads/evil.html, the browser will render and execute all content and script code under the context of http://www.example.com. If evil.html contains JavaScript that grabs the document.cookie object and ferries it to an attacker’s web server, the attacker will be able to steal the session of every legitimate user who visits http://www.example.com/uploads/evil.html. This is one of the most basic examples of insecure content ownership. In the following sections, we will discuss and demonstrate more advanced scenarios that illustrate the many emerging variants of content ownership tactics.