This is a work in progress! For the latest updates from the HTML WG, possibly including important bug fixes, please look at the editor's draft instead. There may also be a more up-to-date Working Draft with changes based on resolution of Last Call issues.
The origin of a resource and the effective script origin of a resource are both either opaque identifiers or tuples consisting of a scheme component, a host component, a port component, and optionally extra data.
The extra data could include the certificate of the site when using encrypted connections, to ensure that if the site's secure certificate changes, the origin is considered to change as well.
These characteristics are defined as follows:
The origin and effective script origin of the URL is whatever is returned by the following algorithm:
Let url be the URL for which the origin is being determined.
Parse url.
If url identifies a resource that is its own trust domain (e.g. it identifies an e-mail on an IMAP server or a post on an NNTP server) then return a globally unique identifier specific to the resource identified by url, so that if this algorithm is invoked again for URLs that identify the same resource, the same identifier will be returned.
If url does not use a server-based naming authority, or if parsing url failed, or if url is not an absolute URL, then return a new globally unique identifier.
Let scheme be the <scheme> component of url, converted to ASCII lowercase.
If the UA doesn't support the protocol given by scheme, then return a new globally unique identifier.
If scheme is "file
", then the user agent may return a
UA-specific value.
Let host be the <host> component of url.
Apply the IDNA ToASCII algorithm to host, with both the AllowUnassigned and UseSTD3ASCIIRules flags set. Let host be the result of the ToASCII algorithm.
If ToASCII fails to convert one of the components of the string, e.g. because it is too long or because it contains invalid characters, then return a new globally unique identifier. [RFC3490]
Let host be the result of converting host to ASCII lowercase.
If there is no <port> component, then let port be the default port for the protocol given by scheme. Otherwise, let port be the <port> component of url.
Return the tuple (scheme, host, port).
In addition, if the URL is in fact associated with
a Document
object that was created by parsing the
resource obtained from fetching URL, and this was
done over a secure connection, then the server's secure
certificate may be added to the origin as additional data.
The origin and effective script origin of a script are determined from another resource, called the owner:
script
elementDocument
to which the
script
element belongs.Document
to which the
attribute node belongs.javascript:
URL that was returned as the
location of an HTTP redirect (or equivalent in
other protocols)javascript:
URL.javascript:
URL in an attributeDocument
of the element on
which the attribute is found.javascript:
URL in a style sheetjavascript:
URL to which a browsing
context is being navigated,
the URL having been provided by the user (e.g. by using a
bookmarklet)Document
of the browsing
context's active document.javascript:
URL to which a browsing
context is being navigated,
the URL having been declared in markupDocument
of the element
(e.g. an a
or area
element) that
declared the URL.javascript:
URL to which a browsing
context is being navigated,
the URL having been provided by scriptThe origin of the script is then equal to the origin of the owner, and the effective script origin of the script is equal to the effective script origin of the owner.
Document
objects and imagesDocument
is in a
browsing context whose sandboxed origin
browsing context flag was set when the
Document
was createdDocument
was generated from a resource
labeled as text/html-sandboxed
Document
is created.Document
or image was generated from a
javascript:
URLjavascript:
URL.Document
or image was served over the
network and has an address that uses a URL scheme with a
server-based naming authorityDocument
or the URL of the image, as
appropriate.Document
or image was generated from a
data:
URL that was returned as the location of an HTTP redirect
(or equivalent
in other protocols)data:
URL.Document
or image was generated from a
data:
URL found in another Document
or in a
scriptDocument
or script that initiated the navigation to that URL.Document
has the address
"about:blank
"Document
is the origin it was
assigned when its browsing context was created.Document
is an iframe
srcdoc
documentDocument
is the
origin of the Document
's browsing
context's browsing context container's
Document
.Document
or image was obtained in some
other manner (e.g. a data:
URL typed in by the user, a
Document
created using the createDocument()
API, etc)Document
or image is created.When a Document
is created, its effective
script origin is initialized to the origin of
the Document
. However, the document.domain
attribute can
be used to change it.
audio
and video
elementsIf value of the media element's currentSrc
attribute is the
empty string, the origin is the same as the
origin of the element's Document
's
origin.
Otherwise, the origin is equal to the
origin of the absolute URL given by the
media element's currentSrc
attribute.
The origin of a downloadable Web font is equal to the origin of the absolute URL used to obtain the font (after any redirects). [CSSFONTS]
The origin of a locally installed system font is
equal to the origin of the Document
in
which that font is being used.
Other specifications can override the above definitions by
themselves specifying the origin of a particular URL, script,
Document
, or image.
The Unicode serialization of an origin is the string obtained by applying the following algorithm to the given origin:
If the origin in question is not a
scheme/host/port tuple, then return the literal string "null
" and abort these steps.
Otherwise, let result be the scheme part of the origin tuple.
Append the string "://
" to result.
Apply the IDNA ToUnicode algorithm to each component of the host part of the origin tuple, and append the results — each component, in the same order, separated by U+002E FULL STOP characters (.) — to result. [RFC3490]
If the port part of the origin tuple gives a port that is different from the default port for the protocol given by the scheme part of the origin tuple, then append a U+003A COLON character (:) and the given port, in base ten, to result.
Return result.
The ASCII serialization of an origin is the string obtained by applying the following algorithm to the given origin:
If the origin in question is not a
scheme/host/port tuple, then return the literal string "null
" and abort these steps.
Otherwise, let result be the scheme part of the origin tuple.
Append the string "://
" to result.
Apply the IDNA ToASCII algorithm the host part of the origin tuple, with both the AllowUnassigned and UseSTD3ASCIIRules flags set, and append the results result.
If ToASCII fails to convert one of the components of the string, e.g. because it is too long or because it contains invalid characters, then return the empty string and abort these steps. [RFC3490]
If the port part of the origin tuple gives a port that is different from the default port for the protocol given by the scheme part of the origin tuple, then append a U+003A COLON character (:) and the given port, in base ten, to result.
Return result.
Two origins are said to be the same origin if the following algorithm returns true:
Let A be the first origin being compared, and B be the second origin being compared.
If A and B are both opaque identifiers, and their value is equal, then return true.
Otherwise, if either A or B or both are opaque identifiers, return false.
If A and B have scheme components that are not identical, return false.
If A and B have host components that are not identical, return false.
If A and B have port components that are not identical, return false.
If either A or B have additional data, but that data is not identical for both, return false.
Return true.
domain
[ = domain ]Returns the current domain used for security checks.
Can be set to a value that removes subdomains, to change the effective script origin to allow pages on other subdomains of the same domain (if they do the same thing) to access each other.
The domain
attribute on Document
objects must be initialized to
the document's domain, if it has one, and the empty
string otherwise. If the value is an IPv6 address, then the square
brackets from the host portion of the <host> component must be omitted from
the attribute's value.
On getting, the attribute must return its current value, unless
the Document
has no browsing context, in
which case it must return the empty string.
On setting, the user agent must run the following algorithm:
If the Document
has no browsing
context, throw a SECURITY_ERR
exception and
abort these steps.
If the new value is an IP address, let new value be the new value. Otherwise, apply the IDNA ToASCII algorithm to the new value, with both the AllowUnassigned and UseSTD3ASCIIRules flags set, and let new value be the result of the ToASCII algorithm.
If ToASCII fails to convert one of the components of the
string, e.g. because it is too long or because it contains invalid
characters, then throw a SECURITY_ERR
exception and abort
these steps. [RFC3490]
If new value is not exactly equal to the
current value of the document.domain
attribute, then
run these substeps:
If the current value is an IP address, throw a
SECURITY_ERR
exception and abort these steps.
If new value, prefixed by a U+002E FULL
STOP (.), does not exactly match the end of the current value,
throw a SECURITY_ERR
exception and abort these
steps.
If new value matches a suffix in the
Public Suffix List, or, if new value,
prefixed by a U+002E FULL STOP (.), matches the end of a
suffix in the Public Suffix List, then throw a
SECURITY_ERR
exception and abort these steps. [PSL]
Suffixes must be compared after applying the IDNA ToASCII algorithm to them, with both the AllowUnassigned and UseSTD3ASCIIRules flags set, in an ASCII case-insensitive manner. [RFC3490]
Release the storage mutex.
Set the attribute's value to new value.
Set the host part of the effective script origin
tuple of the Document
to new
value.
Set the port part of the effective script origin
tuple of the Document
to "manual override" (a value
that, for the purposes of comparing
origins, is identical to "manual override" but not
identical to any other value).
The domain of a
Document
is the host part of the document's
origin, if that is a scheme/host/port tuple. If it
isn't, then the document does not have a domain.
The domain
attribute is used to enable pages on different hosts of a domain to
access each others' DOMs.
Do not use the document.domain
attribute when
using shared hosting. If an untrusted third party is able to host an
HTTP server at the same IP address but on a different port, then the
same-origin protection that normally protects two different sites on
the same host will fail, as the ports are ignored when comparing
origins after the document.domain
attribute has
been used.