This is part of A Model of Authority in the Web.

Same Origin Policy

Section 6.4 Origin of the HTML 5 draft defines the origin of scripts, documents etc.:

@keywords is, of, a.
@prefix : <scriptorigin#>.
@prefix s: <> .
@prefix owl: <>.

origin s:label "origin";
  a owl:DatatypeProperty;
  s:isDefinedBy <>;
  s:comment """origin of a resource, document, script, etc.""";
  s:comment """for example { doc1 origin "". }""".

In particular, it says:

If a Document or image was served over the network and has an address that uses a URL scheme with a server-based naming authority,

The origin is the origin of the address of the Document or the URL of the image, as appropriate.

That seems to license the following rule:

@prefix ht: <>.
@prefix log: <>.
@prefix str: <>.
@prefix list: <>.
 ?RES log:uri ?I.
 (?I "http://([^/]+)/") str:search (?ORIGIN).

 ?CONNECTION ht:connectionAuthority ?ORIGIN;
   ht:requests [list:member ?Q].

 ?Q ht:absoluteURI ?I; ht:methodName "GET".
} => { ?RES origin ?ORIGIN }.


Given our view that HTTP URIs (that respond to GETs with 200) denote social principals, is it too much of a stretch to read "has an address" as log:uri? i.e. the relationship between a URI and what it identifies?

To represent the judgement that a script object may contact an origin, we introduce:

contactsOrigin s:label "contacts origin";
  a owl:DatatypeProperty;
  s:isDefinedBy <>;
  s:comment """relates a script object to
    an origin that it is authorized to contact""".

We can then state the same origin policy as:

@prefix c: <speech#>.

{ ?P origin ?ORIGIN }
=> { ?P c:controls_subject ( contactsOrigin ?ORIGIN) }.