An origin is the fundamental unit of web security, defined by the tuple of scheme (protocol), host, and port.
If any one of the three differs, the browser treats it as a different origin, and many browser security policies enforce their boundaries against this definition.
For example, `https://app.example.com` and `http://app.example.com` are different origins (different scheme), and `https://example.com:443` versus `https://example.com:8443` are different origins (different port). Path (`/a` vs `/b`) and query string are NOT part of the origin.
Origin is the yardstick for the Same-Origin Policy and the boundary for CORS, postMessage, and storage isolation (localStorage, IndexedDB). Note that cookies use a different 'site' concept — cookies can span subdomains and ignore ports — which is why SameSite and Domain attributes exist separately. Understanding origins precisely lets you diagnose most CORS errors and auth-cookie problems.