Origin

Security

Overview

An origin is the fundamental unit of web security, defined by the tuple of scheme (protocol), host, and port.

If any one of the three differs, the browser treats it as a different origin, and many browser security policies enforce their boundaries against this definition.

Details

For example, `https://app.example.com` and `http://app.example.com` are different origins (different scheme), and `https://example.com:443` versus `https://example.com:8443` are different origins (different port). Path (`/a` vs `/b`) and query string are NOT part of the origin.

Origin is the yardstick for the Same-Origin Policy and the boundary for CORS, postMessage, and storage isolation (localStorage, IndexedDB). Note that cookies use a different 'site' concept — cookies can span subdomains and ignore ports — which is why SameSite and Domain attributes exist separately. Understanding origins precisely lets you diagnose most CORS errors and auth-cookie problems.

Related types