All too often, even seasoned web security professionals get mixed up by the subtle differences between cross site scripting (XSS), cross site request forgery (CSRF) and cross origin resource sharing (CORS). In this talk, I’ll start at the basics and discuss the browser security model and same origin policy - the security boundary that protects and limits JavaScript’s power within the browser. After covering the basics of origins and JavaScript, I’ll walk through each of the three “cross” attacks and explain in depth what is happening, why they work - and what an attacker can do with them. The talk will feature code samples and discussions of how to mitigate these vulnerabilities by leveraging the SOP. Whether you are a pentester, security engineer, developer or product manager, this talk should help everyone design, implement and test secure web applications.