To defend against attacks, a developer needs to mitigate vulnerabilities and add security features to an application. Luckily, on the web, the browser provides many security features. Some are available for developers to opt-in, and some are turned on by default to protect users.
The idea of a "sandbox"
Why is a sandbox necessary?
The browser sandbox is the key feature that makes browsing on the web frictionless by making it safer to run arbitrary code.
Make it secure by design
If the browser is sandboxing each web application, should we even care about security? Absolutely yes!
First of all, sandbox features are not the perfect shield. Even though browser engineers work hard, browsers could have vulnerabilities and attackers are always trying to bypass the sandbox (such as with Spectre Attack).
The sandbox could sometimes get in a way of creating a great web experience. For example, a browser may block a fetch request to an image hosted on a different domain. You can share resources on different domains by turning on Cross-Origin Resource Sharing (CORS for short), but if it is not done carefully you can expose a resource to everyone else on the web, essentially undoing the sandbox.
A secure web experience can only be achieved if security is baked into the design of your application, and strong design starts with understanding existing features. The next two guides dive into CORS and same-origin policy in depth.
Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies. Java is a registered trademark of Oracle and/or its affiliates.