HTML
Living Standard — Last Updated 17 October 2025
Living Standard — Last Updated 17 October 2025
This section describes features that apply most directly to web browsers. Having said that, except where specified otherwise, the requirements defined in this section do apply to all user agents, whether they are web browsers or not.
Origins are the fundamental currency of the web's security model. Two actors in the web platform that share an origin are assumed to trust each other and to have the same authority. Actors with differing origins are considered potentially hostile versus each other, and are isolated from each other to varying degrees.
For example, if Example Bank's web site, hosted at bank.example.com, tries to examine the DOM of Example Charity's web site, hosted
at charity.example.org, a "SecurityError"
DOMException will be raised.
An origin is one of the following:
An internal value, with no serialization it can be recreated from (it is serialized as
"null" per serialization of an origin), for which the only
meaningful operation is testing for equality.
A tuple consisting of:
Origins can be shared, e.g., among multiple
Document objects. Furthermore, origins are generally
immutable. Only the domain of a tuple origin can be changed, and only through the document.domain API.
The effective domain of an origin origin is computed as follows:
If origin is an opaque origin, then return null.
If origin's domain is non-null, then return origin's domain.
Return origin's host.
The serialization of an origin is the string obtained by applying the following algorithm to the given origin origin:
If origin is an opaque origin,
then return "null".
Otherwise, let result be origin's scheme.
Append "://" to result.
Append origin's host, serialized, to result.
If origin's port is non-null, append a U+003A COLON character (:), and origin's port, serialized, to result.
Return result.
The serialization of ("https", "xn--maraa-rta.example", null, null) is "https://www.downtownmelody.com/_x/eG4tLW1hcmFhLXJ0YS5leGFtcGxl".
There used to also be a Unicode serialization of an origin. However, it was never widely adopted.
Two origins, A and B, are said to be same origin if the following algorithm returns true:
If A and B are the same opaque origin, then return true.
If A and B are both tuple origins and their schemes, hosts, and port are identical, then return true.
Return false.
Two origins, A and B, are said to be same origin-domain if the following algorithm returns true:
If A and B are the same opaque origin, then return true.
If A and B are both tuple origins:
If A and B's schemes are identical, and their domains are identical and non-null, then return true.
Otherwise, if A and B are same origin and their domains are both null, return true.
Return false.
| A | B | same origin | same origin-domain |
|---|---|---|---|
("https", "example.org", null, null)
| ("https", "example.org", null, null)
| ✅ | ✅ |
("https", "example.org", 314, null)
| ("https", "example.org", 420, null)
| ❌ | ❌ |
("https", "example.org", 314, "example.org")
| ("https", "example.org", 420, "example.org")
| ❌ | ✅ |
("https", "example.org", null, null)
| ("https", "example.org", null, "example.org")
| ✅ | ❌ |
("https", "example.org", null, "example.org")
| ("http", "example.org", null, "example.org")
| ❌ | ❌ |
A scheme-and-host is a tuple of a scheme (an ASCII string) and a host (a host).
A site is an opaque origin or a scheme-and-host.
To obtain a site, given an origin origin, run these steps:
If origin is an opaque origin, then return origin.
If origin's host's registrable domain is null, then return (origin's scheme, origin's host).
Return (origin's scheme, origin's host's registrable domain).
Two sites, A and B, are said to be same site if the following algorithm returns true:
If A and B are the same opaque origin, then return true.