The origin of a URL is the aggregate of the scheme, hostname and optional port.
The origin of a URL is important to understand when working with the CORS architecture and one makes the distinction between the
same-origin directives. Servers with sites that have a combination of the same scheme, hostname and port, are all considered to be part of the
same-origin, whereas any other combination is considered
The definition of the origin of a URL is not to be confused with the HTTP Origin header, which is used to communicate the origin of a URL.
same-origin vs cross-origin
The table below describes the origins related to
|https://www.example.ai:443||Origin, also referred to as |
|https://www.example.ai||A shorter |
|https://www.google.com||Example of |
|https://example.ai:443||Example of |
|https://images.example.ai:443||Example of |
|http://www.example.ai:80||Example of |
|http://www.example.ai||Example of |
Sec-Fetch-Site header and same-site
Many modern web browsers send requests with the Sec-Fetch-Site HTTP request header. The header will contain one of four directives, as follows:
The directive can be reasonably trusted, because Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site and Sec-Fetch-User headers are set by the browser. Even in cases where a server received an illicitly-modified Sec-Fetch-Site header, the client will not be harmed if the
same-origin policy is broken.
As HTTP evolves, the definition of
same-site now considers the scheme as part of the site. This prevents the usage of HTTP as a non-secure channel with HTTPS URLs.
The origin of a URL is a combination of the scheme, hostname and port, and is used for determining whether requests for resources are