Origin
“Origin” is a combination of a scheme (also known as the protocol, for example HTTP or HTTPS), a hostname, and a port (if specified). For example, given a URL of https://www.example.com:443/foo, the “origin” is https://www.example.com:443.
“Same-origin” and “cross-origin”
Websites that have the same combination of scheme, hostname, and port are considered “same-origin”. Everything else is considered “cross-origin”.
| Origin A | Origin B | ”Same-origin” or “cross-origin”? |
|---|---|---|
https://www.example.com:443 | https://www.evil.com:443 | Cross-origin: different domains |
https://example.com:443 | Cross-origin: different subdomains | |
https://login.example.com:443 | Cross-origin: different subdomains | |
http://www.example.com:443 | Cross-origin: different schemes | |
https://www.example.com:80 | Cross-origin: different ports | |
https://www.example.com:443 | Same-origin: exact match | |
https://www.example.com | Same-origin: implicit port number (443) matches |
Site
“site” is a combination of the scheme, the TLD, and the part of the domain just before it (TLD+1). For example, given a URL of https://www.example.com:443/foo, the “site” is https://example.com.
Public Suffix List and eTLD
For domains with elements such as .co.jp or .github.io, just using .jp or .io isn’t specific enough to identify the “site”. There’s no way to algorithmically determine the level of registrable domains for a particular TLD. To help with that, the Public Suffix List defines a list of public suffixes, also called effective TLDs (eTLDs). The list of eTLDs is maintained at publicsuffix.org/list.
”same-site” and “cross-site”
| Origin A | Origin B | ”Same-site” or “cross-site”? |
|---|---|---|
https://www.example.com:443 | https://www.evil.com:443 | Cross-site: different domains |
https://login.example.com:443 | Same-site: different subdomains don’t matter | |
http://www.example.com:443 | Cross-site: different schemes | |
https://www.example.com:80 | Same-site: different ports don’t matter | |
https://www.example.com:443 | Same-site: exact match | |
https://www.example.com | Same-site: ports don’t matter |
Back to parent page: Web Security
Reference: