As well as being able to use a classic “http://domain.com” style origin, widgets can also use a custom scheme called the Widget URI scheme that typically looks like this:
The widget URI scheme works like a “fake” HTTP server: sending back local files from inside a widget package (e.g., an image) by simulating a HTTP responses.
The misconception about origin arises because people don’t really understand what an origin is: they think it means http://some.url.com (i.e., a website). Thankfully, the HTML Standard makes it clear by defining an origin as:
opaque identifiers or tuples consisting of a scheme component, a host component, a port component, and optionally extra data.
In other words, widget:// makes for a perfectly valid origin.
Other posts in this series: