Origins
The origin of a URL is the aggregate of the scheme, hostname and optional port.
Usage
The origin of a URL is important to understand when working with the CORS architecture and one makes the distinction between the same-site and same-origin directives. Servers with sites that have a combination of the same scheme, hostname and port, are all considered to be part of the same-origin, whereas any other combination is considered cross-origin.
Note
The definition of the origin of a URL is not to be confused with the HTTP Origin header, which is used to communicate the origin of a URL.
same-origin vs cross-origin
The table below describes the origins related to https://www.example.re:443/documents.
| URL | Description |
|---|---|
| https://www.example.re:443 | Origin, also referred to as same-origin |
| https://www.example.re | A shorter same-origin example, where the port is implied because HTTPS is by default accessible on port 443 |
| https://www.google.com | Example of cross-origin, different domain |
| https://example.re:443 | Example of cross-origin, different hostname |
| https://images.example.re:443 | Example of cross-origin, different hostname |
| http://www.example.re:80 | Example of cross-origin, different scheme and port |
| http://www.example.re | Example of cross-origin, different scheme and implied port because HTTP is by default accessible on port 80 |
Sec-Fetch-Site header and same-site
Many modern web browsers send requests with the Sec-Fetch-Site HTTP request header. The header will contain one of four directives, as follows: cross-site, same-site, same-originand none.
The directive can be reasonably trusted, because Sec-Fetch-Dest, Sec-Fetch-Mode, Sec-Fetch-Site and Sec-Fetch-User headers are set by the browser. Even in cases where a server received an illicitly-modified Sec-Fetch-Site header, the client will not be harmed if the same-origin policy is broken.
Note
As HTTP evolves, the definition of same-site now considers the scheme as part of the site. This prevents the usage of HTTP as a non-secure channel with HTTPS URLs.
Takeaway
The origin of a URL is a combination of the scheme, hostname and port, and is used for determining whether requests for resources are same-origin, same-site or cross-origin.