HTML5

These characteristics are defined as follows:

For URLs

The origin and effective script origin of the URL are the origin defined in The Web Origin Concept. [ORIGIN]

For scripts

The origin and effective script origin of a script are determined from another resource, called the owner:

If a script is in a script element

The owner is the Document to which the script element belongs.

If a script is in an event handler content attribute

The owner is the Document to which the attribute node belongs.

If a script is a function or other code reference created by another script

The owner is the script that created it.

If a script is a javascript: URL that was returned as the location of an HTTP redirect (or equivalent in other protocols)

The owner is the URL that redirected to the javascript: URL.

If a script is a javascript: URL in an attribute

The owner is the Document of the element on which the attribute is found.

If a script is a javascript: URL in a style sheet

The owner is the URL of the style sheet.

If a script is a javascript: URL to which a browsing context is being navigated, the URL having been provided by the user (e.g. by using a bookmarklet)

The owner is the Document of the browsing context's active document.

If a script is a javascript: URL to which a browsing context is being navigated, the URL having been declared in markup

The owner is the Document of the element (e.g. an a or area element) that declared the URL.

If a script is a javascript: URL to which a browsing context is being navigated, the URL having been provided by script

The owner is the script that provided the URL.

The origin of the script is then equal to the origin of the owner, and the effective script origin of the script is equal to the effective script origin of the owner.

For Document objects

If a Document is in a browsing context whose sandboxed origin browsing context flag was set when the Document was created

The origin is a globally unique identifier assigned when the Document is created.

If a Document was generated from a javascript: URL

The origin is equal to the origin of the script of that javascript: URL.

If a Document was served over the network and has an address that uses a URL scheme with a server-based naming authority

The origin is the origin of the Document's address.

If a Document was generated from a data: URL that was returned as the location of an HTTP redirect (or equivalent in other protocols)

The origin is the origin of the URL that redirected to the data: URL.

If a Document was generated from a data: URL found in another Document or in a script

The origin is the origin of the Document or script that initiated the navigation to that URL.

If a Document has the address "about:blank"

The origin of the Document is the origin it was assigned when its browsing context was created.

If a Document is an iframe srcdoc document

The origin of the Document is the origin of the Document's browsing context's browsing context container's Document.

If a Document was obtained in some other manner (e.g. a data: URL typed in by the user, a Document created using the createDocument() API, etc)

The origin is a globally unique identifier assigned when the Document is created.

When a Document is created, its effective script origin is initialized to the origin of the Document. However, the document.domain attribute can be used to change it.

For images

If an image is the image of an img element and its image data is CORS-cross-origin

The origin is a globally unique identifier assigned when the image is created.

If an image is the image of an img element and its image data is CORS-same-origin

The origin is the origin of the img element's Document.

For audio and video elements

If the media data is CORS-cross-origin

The origin is a globally unique identifier assigned when the image is created.

If the media data is CORS-same-origin

The origin is the origin of the media element's Document.

For fonts

The origin of a downloadable Web font is equal to the origin of the absolute URL used to obtain the font (after any redirects). [CSSFONTS]

The origin of a locally installed system font is equal to the origin of the Document in which that font is being used.

Other specifications can override the above definitions by themselves specifying the origin of a particular URL, script, Document, or image.

---

The Unicode serialization of an origin is the string obtained by applying the following algorithm to the given origin:

1. If the origin in question is not a scheme/host/port tuple, then return the literal string "null" and abort these steps.

2. Otherwise, let result be the scheme part of the origin tuple.

3. Append the string "://" to result.

4. Apply the IDNA ToUnicode algorithm to each component of the host part of the origin tuple, and append the results — each component, in the same order, separated by "." (U+002E) characters — to result. [RFC3490]

5. If the port part of the origin tuple gives a port that is different from the default port for the protocol given by the scheme part of the origin tuple, then append a ":" (U+003A) character and the given port, in base ten, to result.

6. Return result.

The ASCII serialization of an origin is the string obtained by applying the following algorithm to the given origin:

1. If the origin in question is not a scheme/host/port tuple, then return the literal string "null" and abort these steps.

2. Otherwise, let result be the scheme part of the origin tuple.

3. Append the string "://" to result.

4. Apply the IDNA ToASCII algorithm the host part of the origin tuple, with both the AllowUnassigned and UseSTD3ASCIIRules flags set, and append the results result.

   If ToASCII fails to convert one of the components of the string, e.g. because it is too long or because it contains invalid characters, then return the empty string and abort these steps. [RFC3490]

5. If the port part of the origin tuple gives a port that is different from the default port for the protocol given by the scheme part of the origin tuple, then append a ":" (U+003A) character and the given port, in base ten, to result.

6. Return result.

Two origins are said to be the same origin if the following algorithm returns true:

1. Let A be the first origin being compared, and B be the second origin being compared.

2. If A and B are both opaque identifiers, and their value is equal, then return true.

3. Otherwise, if either A or B or both are opaque identifiers, return false.

4. If A and B have scheme components that are not identical, return false.

5. If A and B have host components that are not identical, return false.

6. If A and B have port components that are not identical, return false.

7. If either A or B have additional data, but that data is not identical for both, return false.

8. Return true.

The domain attribute on Document objects must be initialized to the document's domain, if it has one, and the empty string otherwise. If the value is an IPv6 address, then the square brackets from the host portion of the <host> component must be omitted from the attribute's value.

On getting, the attribute must return its current value, unless the Document has no browsing context, in which case it must return the empty string.

On setting, the user agent must run the following algorithm:

1. If the Document has no browsing context, throw a SecurityError exception and abort these steps.

2. If the new value is an IP address, let new value be the new value. Otherwise, apply the IDNA ToASCII algorithm to the new value, with both the AllowUnassigned and UseSTD3ASCIIRules flags set, and let new value be the result of the ToASCII algorithm.

   If ToASCII fails to convert one of the components of the string, e.g. because it is too long or because it contains invalid characters, then throw a SecurityError exception and abort these steps. [RFC3490]

3. If new value is not exactly equal to the current value of the document.domain attribute, then run these substeps:

   1. If the current value is an IP address, throw a SecurityError exception and abort these steps.

   2. If new value, prefixed by a "." (U+002E), does not exactly match the end of the current value, throw a SecurityError exception and abort these steps.

   3. If new value matches a suffix in the Public Suffix List, or, if new value, prefixed by a "." (U+002E), matches the end of a suffix in the Public Suffix List, then throw a SecurityError exception and abort these steps. [PSL]

      Suffixes must be compared after applying the IDNA ToASCII algorithm to them, with both the AllowUnassigned and UseSTD3ASCIIRules flags set, in an ASCII case-insensitive manner. [RFC3490]

4. Release the storage mutex.

5. Set the attribute's value to new value.

6. Set the host part of the effective script origin tuple of the Document to new value.

7. Set the port part of the effective script origin tuple of the Document to "manual override" (a value that, for the purposes of comparing origins, is identical to "manual override" but not identical to any other value).

The domain of a Document is the host part of the document's origin, if that is a scheme/host/port tuple. If it isn't, then the document does not have a domain.