Browser Security Internals: Origins, CORS & Attack Vectors
Explore browser security from first principles — origin computation, Same-Origin Policy enforcement, CORS preflight and simple request flows, credentialed requests, cookie security attributes (SameSite, HttpOnly, Secure), CSRF attack mechanics, XSS injection contexts, and Content Security Policy enforcement.
See the Invisible
Interactive simulators visualise what's hidden from view.
Hands-On Labs
Step through executions tick by tick. Manipulate state.
Why, Not Just What
Understand the reasoning behind every design decision.
Quizzes & Cheatsheets
Verify your understanding and keep a quick reference handy.
Get Certified
Earn a shareable certificate to prove your deep expertise.
Become the Engineer Who Supervises AI
As AI generates more code, understanding what that code does becomes more valuable, not less. Someone must verify AI output, debug failures, and make architectural decisions.
Build Your Architectural EdgeAI can generate your CORS headers. It can't tell you why the browser still rejects the request.
The browser's security model is invisible until it breaks your code
You've stared at "blocked by CORS policy" errors and toggled Access-Control-Allow-Origin headers until something worked. You've shipped SameSite=None on cookies without fully understanding what cross-site transmission you just enabled. You've accepted AI-suggested security configurations and pushed them to production without being able to evaluate whether they close the vulnerability or just silence the warning. Every one of these moments is a security decision made without seeing the system that enforces it.
See the invisible security layer the browser enforces on every request
Step-based simulations make origin checks, CORS negotiations, and attack flows visible and inspectable.
Watch origin comparison in real time
Step through the browser's scheme://host:port tuple matching to see exactly why two URLs share an origin or don't, so you stop guessing at Same-Origin Policy violations.
Trace CORS preflight negotiation
Follow the full OPTIONS request flow, from Access-Control-Request headers to the server's Allow grants, so you configure CORS policies from understanding rather than trial and error.
Follow attack execution step by step
Walk through CSRF and XSS attack sequences from the attacker's payload to the victim's browser executing it, so you can identify and close these vectors in your own applications.
What's Covered
From origin computation to attack defense: the browser security model as a connected system.
Diagnose cross-origin access failures instantly by knowing how browsers compute, compare, and enforce origin trust boundaries on every request.
Configure cross-origin requests correctly on the first try, from simple request criteria to credentialed preflight flows with ambient cookie authority.
Set cookie attributes with precision and defend state-changing endpoints against forgery using SameSite enforcement and anti-CSRF synchronization tokens.
Recognize injection contexts across HTML, attribute, and JavaScript boundaries, then lock them down with nonce-based Content Security Policy directives.
The Curriculum
Comprehensive Lessons! Each with theory, interactive simulation, and quiz.
Origin Computation and Trust Boundaries
How the browser computes an Origin from the scheme://host:port tuple, evaluates edge cases like HTTP vs. HTTPS, implicit vs. explicit ports, and subdomain isolation, then compares origin tuples on every cross-context access attempt.
Same-Origin Policy (SOP) Enforcement Mechanics
The asymmetric rules of SOP: why cross-origin writes (form POSTs, redirects) and cross-origin embedding (images, scripts) are permitted while cross-origin reads (DOM access, fetch response inspection) are strictly blocked. How localStorage and IndexedDB are isolated per origin.
CORS Preflight and Simple Request Flows
The evaluation criteria separating Simple Requests (GET/HEAD/POST with specific Content-Types like application/x-www-form-urlencoded and CORS-safelisted headers) from requests requiring Preflight negotiation via the OPTIONS method, Access-Control-Request-* headers, and server-side Access-Control-Allow-Origin grants.
Credentialed CORS and Ambient Authority
How browsers automatically attach cookies to outbound requests based on the destination domain. The strict CORS requirements for credentialed requests: client-side credential inclusion flags, explicit Access-Control-Allow-Credentials: true, and the prohibition of wildcard (*) values in Access-Control-Allow-Origin.
Cookie Security Attributes and Transmission Scope
How Set-Cookie attributes modify cookie behavior: the Secure flag restricting transmission to HTTPS, the HttpOnly flag preventing document.cookie access, and SameSite enforcement (Strict, Lax, None) controlling transmission across top-level navigations vs. subresource requests.
CSRF Mechanics and State Modification
How Cross-Site Request Forgery exploits ambient authority and SOP's permission of cross-origin writes to trigger authenticated state-changing requests from an attacker-controlled origin. The defense mechanics of SameSite=Lax defaults and anti-CSRF synchronization tokens validated at the application layer.
XSS Execution and Injection Contexts
How Cross-Site Scripting achieves code execution within the victim's trusted origin by exploiting the browser parser state machine. How input is interpreted differently across HTML element contexts, HTML attribute contexts, and JavaScript string contexts. The distinct mechanics of Reflected, Stored, and DOM-based XSS.
Content Security Policy (CSP) Enforcement
Defense-in-depth via CSP directives (default-src, script-src, connect-src) restricting code execution and resource loading regardless of injection vectors. Nonce-based inline script allowance, strict-dynamic propagation, and violation tracking with the report-to directive and Reporting-Endpoints header.
Stop guessing at browser security. Start making informed decisions.
After this course, you'll read CORS errors and know the fix before reaching for Stack Overflow. You'll configure cookie attributes, CSP directives, and cross-origin policies based on how the browser actually evaluates them, and you'll review AI-generated security configs with the confidence to accept, reject, or correct them on sight.
Ready to see what's really happening?
All deep dives included with your subscription. Cancel anytime.