Cross site scripting attacks and same origin policy

Question

I am familiar with the persistent and non-persistent XSS. I also know about Same origin policy that prevents/restricts requests originating from one websites page to go to anoth

Answer 1

SOP typically cannot prevent either XSS or CSRF.

For XSS, jakber's answer already provides a good explanation. I just want to add that the reason to call this vulnerability "cross-site" is because the attacker can inject code (e.g. <script src="...">) into the target page that loads malicious javascript from another website, which is typically controlled by the attacker. Loading Javascript from another website is not denied by SOP, because doing that will break the Web.

For CSRF, SOP cannot prevent it for most cases because SOP does not prevent website A to send GET and POST requests to website B.

Answer 2

Typically no.

A non-persistant or reflected XSS attack exploits input that is echoed back as page content without proper sanitization, without persisting it. The injected script will seem to come from the exploited domain in both cases.

For example if you do this in PHP: echo $_GET['param'] and send a link to the page to somebody containing ?param=<script>alert('got you!');</script> it is a non-persistant XSS attack, and same-origin policy has nothing to do with it.

Same-origin means that you cannot directly inject scripts or modify the DOM on other domains: that's why you need to find an XSS vulnerability to begin with.