diff --git a/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SameOriginPolicyProtection.java b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SameOriginPolicyProtection.java
new file mode 100644
index 000000000..5d41998c6
--- /dev/null
+++ b/ webgoat/main/project/JavaSource/org/owasp/webgoat/lessons/SameOriginPolicyProtection.java	
@@ -0,0 +1,204 @@
+package org.owasp.webgoat.lessons;
+
+import java.util.ArrayList;
+import java.util.List;
+
+import org.apache.ecs.Element;
+import org.apache.ecs.ElementContainer;
+import org.apache.ecs.StringElement;
+import org.apache.ecs.html.A;
+import org.apache.ecs.html.BR;
+import org.apache.ecs.html.H2;
+import org.apache.ecs.html.H3;
+import org.apache.ecs.html.IMG;
+import org.apache.ecs.html.Input;
+import org.apache.ecs.html.Script;
+import org.apache.ecs.html.TextArea;
+import org.apache.ecs.xhtml.button;
+import org.apache.ecs.xhtml.link;
+import org.owasp.webgoat.session.*;
+
+
+public class SameOriginPolicyProtection extends LessonAdapter
+{
+	public final static A ASPECT_LOGO = new A().setHref("http://www.aspectsecurity.com").addElement(new IMG("images/logos/aspect.jpg").setAlt("Aspect Security").setBorder(0).setHspace(0).setVspace(0));
+
+    
+
+    /**
+     *  Description of the Method
+     *
+     * @param  s  Description of the Parameter
+     * @return    Description of the Return Value
+     */
+    protected Element createContent(WebSession s)
+    {
+	ElementContainer ec = new ElementContainer();
+	
+	try
+	{
+		
+		ec.addElement(new Script()
+		.setSrc("javascript/sameOrigin.js"));
+		
+		Input hiddenWGStatus = new Input(Input.HIDDEN,"hiddenWGStatus",0);
+		hiddenWGStatus.setID("hiddenWGStatus");		
+		ec.addElement(hiddenWGStatus);
+		
+		Input hiddenGoogleStatus = new Input(Input.HIDDEN,"hiddenGoogleStatus",0);
+		hiddenGoogleStatus.setID("hiddenGoogleStatus");	
+		ec.addElement(hiddenGoogleStatus);
+		
+		
+		
+	    ec.addElement(new StringElement("Enter a URL: "));
+	    ec.addElement(new BR());
+
+	    TextArea urlArea = new TextArea();
+	    urlArea.setID("requestedURL");
+	    urlArea.setRows(1);
+	    urlArea.setCols(60);
+	    urlArea.setWrap("SOFT");
+	    ec.addElement(urlArea);
+
+	    
+	    button b = new button();
+	    b.setValue("Go!");
+	    b.setType(button.button);
+	    b.setName("Go!");
+		b.setOnClick("submitXHR();");
+		b.addElement("Go!");		
+	    ec.addElement(b);
+	    
+	    
+	    
+	    
+	    
+	    ec.addElement(new BR());
+	    ec.addElement(new BR());
+	    
+	 
+	    
+	    
+	    H3 reponseTitle = new H3("Response: ");
+	    reponseTitle.setID("responseTitle");
+	    
+	    
+	    ec.addElement(reponseTitle);
+	    //ec.addElement(new BR());
+	
+	    
+	    TextArea ta = new TextArea();
+	    ta.setName("responseArea");
+	    ta.setID("responseArea");
+	    ta.setCols(60);
+	    ta.setRows(4);
+	    ec.addElement(ta);
+	    ec.addElement(new BR());
+	    
+	    
+	    
+	   
+	    String webGoatURL = "lessons/Ajax/sameOrigin.jsp";
+	    String googleURL = "http://www.google.com/search?q=aspect+security";
+	    
+	    ec.addElement(new BR());
+	    
+	    A webGoat = new A();
+	    webGoat.setHref("javascript:populate(\"" + webGoatURL + "\")");
+	    webGoat.addElement("Click here to try a Same Origin request:<BR/> " + webGoatURL);
+	    ec.addElement(webGoat);
+	    
+	    ec.addElement(new BR());
+	    ec.addElement(new BR());
+	    
+	    A google = new A();
+	    google.setHref("javascript:populate(\"" + googleURL + "\")");
+	    google.addElement("Click here to try a Different Origin request:<BR/> " + googleURL);
+	    ec.addElement(google);
+	    
+	    
+	}
+	catch (Exception e)
+	{
+	    s.setMessage("Error generating " + this.getClass().getName());
+	    e.printStackTrace();
+	}
+
+	
+	
+
+	int hiddenWGStatusInt = s.getParser().getIntParameter("hiddenWGStatus",0);
+	int hiddenGoogleStatusInt = s.getParser().getIntParameter("hiddenGoogleStatus",0);
+	
+	System.out.println("hiddenWGStatus:" + hiddenWGStatusInt);
+	System.out.println("hiddenGoogleStatusInt:" + hiddenGoogleStatusInt);
+	
+	
+	if (hiddenWGStatusInt == 1 && hiddenGoogleStatusInt == 1)
+	{
+	    makeSuccess(s);
+	}
+
+	return (ec);
+    }
+
+
+    /**
+     *  Gets the hints attribute of the HelloScreen object
+     *
+     * @return    The hints value
+     */
+    public List<String> getHints(WebSession s)
+    {
+	List<String> hints = new ArrayList<String>();
+	hints.add("Enter a URL to see if it is allowed.");
+	hints.add("Click both of the links below to complete the lesson");
+
+	return hints;
+    }
+
+    /**
+     *  Gets the ranking attribute of the HelloScreen object
+     *
+     * @return    The ranking value
+     */
+    private final static Integer DEFAULT_RANKING = new Integer(10);
+
+
+    protected Integer getDefaultRanking()
+    {
+	return DEFAULT_RANKING;
+    }
+
+
+    protected Category getDefaultCategory()
+    {
+	return Category.AJAX_SECURITY;
+    }
+
+
+    /**
+     *  Gets the title attribute of the HelloScreen object
+     *
+     * @return    The title value
+     */
+    public String getTitle()
+    {
+	return ("Same Origin Policy Protection");
+    }
+    
+    public Element getCredits()
+    {
+    	return super.getCustomCredits("", ASPECT_LOGO);
+    }
+    public String getInstructions(WebSession s) {
+		String instructions = "This exercise demonstrates the " +
+				"Same Origin Policy Protection.  XHR requests can only be passed back to " +
+				" the originating server.  Attempts to pass data to a non-originating server " + 
+				" will fail.";
+
+		
+		return (instructions);
+	}
+}
diff --git a/ webgoat/main/project/WebContent/javascript/sameOrigin.js b/ webgoat/main/project/WebContent/javascript/sameOrigin.js
new file mode 100644
index 000000000..811f95b03
--- /dev/null
+++ b/ webgoat/main/project/WebContent/javascript/sameOrigin.js	
@@ -0,0 +1,101 @@
+
+
+
+function submitXHR(){
+
+	document.getElementById("responseTitle").innerHTML="Response: ";
+   	
+   	document.getElementById("responseArea").innerHTML=""; 
+
+	alert("creating XHR request for: " + document.getElementById("requestedURL").value);
+	
+
+	
+	try{
+		ajaxFunction();
+	}
+	catch(err){
+		alert(err);
+		document.getElementById("requestedURL").value=""; 
+	}
+}
+
+
+
+function ajaxFunction()
+  {
+	var xmlHttp;
+  try
+    {
+    // Firefox, Opera 8.0+, Safari
+    xmlHttp=new XMLHttpRequest();
+    }
+  catch (e)
+    {
+    // Internet Explorer
+    try
+      {
+      xmlHttp=new ActiveXObject("Msxml2.XMLHTTP");
+      }
+    catch (e)
+      {
+      try
+        {
+        xmlHttp=new ActiveXObject("Microsoft.XMLHTTP");
+        }
+      catch (e)
+        {
+        alert("Your browser does not support AJAX!");
+        return false;
+        }
+      }
+    }
+    xmlHttp.onreadystatechange=function()
+      {
+      
+      var result = xmlHttp.responseText;
+      if(xmlHttp.readyState==4)
+        {
+        	
+        	
+        	document.getElementById("responseTitle").innerHTML="Response from: " 
+        		+ document.getElementById("requestedURL").value ;
+        		
+        	document.getElementById("responseArea").innerHTML=result;         	
+        	
+        	document.getElementById("requestedURL").value=""; 
+        	
+        }
+      }
+      
+    xmlHttp.open("GET",document.getElementById("requestedURL").value,true);
+    xmlHttp.send(null);
+  }
+  
+  
+
+function populate(url){
+	document.getElementById("requestedURL").value=url; 
+	submitXHR();
+	
+	
+	var webGoatURL = "lessons/Ajax/sameOrigin.jsp";
+	var googleURL = "http://www.google.com/search?q=aspect+security";
+	
+	var hiddenWGStatus = document.getElementById("hiddenWGStatus");
+
+	var hiddenGoogleStatus = document.getElementById("hiddenGoogleStatus");
+	
+	
+	if (url == webGoatURL){	
+		hiddenWGStatus.value = 1;		
+	}
+	
+	if (url == googleURL){
+		hiddenGoogleStatus.value = 1;
+	}
+	
+	if (hiddenWGStatus.value == 1 && hiddenGoogleStatus.value == 1){
+		document.form.submit();
+	}
+}
\ No newline at end of file
diff --git a/ webgoat/main/project/WebContent/lesson_plans/SameOriginPolicyProtection.html b/ webgoat/main/project/WebContent/lesson_plans/SameOriginPolicyProtection.html
new file mode 100644
index 000000000..b7db5d10e
--- /dev/null
+++ b/ webgoat/main/project/WebContent/lesson_plans/SameOriginPolicyProtection.html	
@@ -0,0 +1,13 @@
+<div align="Center">
+<p><b>Lesson Plan Title: </b>Same Origin Policy Protection</p>
+</div>
+<p><b>Concept / Topic To Teach:</b> </p>
+<!-- Start Instructions -->
+A key element of AJAX is the XMLHttpRequest (XHR), which allows javascript to make asynchronous 
+calls from the client side to a server.  However, as a security measure these requests may 
+only be made to the server from which the client page originated.
+<!-- Stop Instructions -->
+<p><b>General Goal(s):</b> </p>
+This exercise demonstrates the Same Origin Policy Protection.  XHR requests 
+can only be passed back to the originating server.  Attempts to pass data to 
+a non-originating server will fail.";
diff --git a/ webgoat/main/project/WebContent/lessons/Ajax/sameOrigin.jsp b/ webgoat/main/project/WebContent/lessons/Ajax/sameOrigin.jsp
new file mode 100644
index 000000000..26e652898
--- /dev/null
+++ b/ webgoat/main/project/WebContent/lessons/Ajax/sameOrigin.jsp	
@@ -0,0 +1 @@
+Good Response
\ No newline at end of file