Origins are the fundamental currency of the web's security model. Two actors in the web platform that share an origin are assumed to trust each other and to have the same authority. Actors with differing origins are considered potentially hostile versus each other, and are isolated from each other to varying degrees.
For example, if Example Bank's web site, hosted at bank.example.com, tries to examine the DOM of Example Charity's web site, hosted
at charity.example.org, a "SecurityError"
DOMException will be raised.
An origin is one of the following:
An internal value, with no serialization it can be recreated from (it is serialized as
"null" per serialization of an origin), for which the only
meaningful operation is testing for equality.
A tuple consists of:
Origins can be shared, e.g., among multiple
Document objects. Furthermore, origins are generally
immutable. Only the domain of a tuple origin can be changed, and only through the document.domain API.
The effective domain of an origin origin is computed as follows:
If origin is an opaque origin, then return null.
If origin's domain is non-null, then return origin's domain.
Return origin's host.
Various specification objects are defined to have an origin. These origins are determined as follows:
Document objectsThe create a new browsing context and navigation algorithms assign the origin at construction time. Otherwise, the default default behavior as defined in DOM applies. [DOM]
img elementsA unique opaque origin assigned when the image is created.
The img element's node document's
origin.
audio and video elementsA unique opaque origin assigned when the media data is fetched.
The media element's node document's origin.
Other specifications can override the above definitions by themselves specifying the origin of
a particular Document object, image, or media element.
The serialization of an origin is the string obtained by applying the following algorithm to the given origin origin:
If origin is an opaque origin, then
return "null".
Otherwise, let result be origin's scheme.
Append "://" to result.
Append origin's host, serialized, to result.
If origin's port is non-null, append a U+003A COLON character (:), and origin's port, serialized, to result.
Return result.
The serialization of ("https", "xn--maraa-rta.example", null, null) is "https://xn--maraa-rta.example".
There used to also be a Unicode serialization of an origin. However, it was never widely adopted.
Two origins, A and B, are said to be same origin if the following algorithm returns true:
If A and B are the same opaque origin, then return true.
If A and B are both tuple origins and their schemes, hosts, and port are identical, then return true.
Return false.
Two origins, A and B, are said to be same origin-domain if the following algorithm returns true:
If A and B are the same opaque origin, then return true.
If A and B are both tuple origins, run these substeps:
If A and B's schemes are identical, and their domains are identical and non-null, then return true.
Otherwise, if A and B are same origin and their domains are identical and null, then return true.
Return false.
| A | B | same origin | same origin-domain |
|---|---|---|---|
("https", "example.org", null, null)
| ("https", "example.org", null, null)
| ✅ | ✅ |
("https", "example.org", 314, null)
| ("https", "example.org", 420, null)
| ❌ | ❌ |
("https", "example.org", 314, "example.org")
| ("https", "example.org", 420, "example.org")
| ❌ | ✅ |
("https", "example.org", null, null)
| ("https", "example.org", null, "example.org")
| ✅ | ❌ |
("https", "example.org", null, "example.org")
| ("http", "example.org", null, "example.org")
| ❌ | ❌ |
A scheme-and-host is a tuple of a scheme and a host.
A site is an opaque origin or a scheme-and-host.
To obtain a site, given an origin origin, run these steps:
If origin is an opaque origin, then return origin.
If origin's host's registrable domain is null, then return (origin's scheme, origin's host).
Return (origin's scheme, origin's host's registrable domain).
Two origins, A and B, are said to be schemelessly same site if the following algorithm returns true:
If A and B are the same opaque origin, then return true.
If A and B are both tuple origins, then:
If hostA equals hostB and hostA's registrable domain is null, then return true.
If hostA's registrable domain equals hostB's registrable domain and is non-null, then return true.
Return false.
Two origins, A and B, are said to be same site if both of the following statements are true:
A and B are schemelessly same site
A and B are either both opaque origins, or both tuple origins with the same scheme
Unlike the same origin and same origin-domain concepts, for schemelessly same site and same site, the port and domain components are ignored.
For the reasons explained in URL, the same site and schemelessly same site concepts should be avoided when possible, in favor of same origin checks.
Given that wildlife.museum, museum, and
com are public suffixes and that
example.com is not:
| A | B | schemelessly same site | same site |
|---|---|---|---|
("https", "example.com")
| ("https", "sub.example.com")
| ✅ | ✅ |
("https", "example.com")
| ("https", "sub.other.example.com")
| ✅ | ✅ |
("https", "example.com")
| ("http", "non-secure.example.com")
| ✅ | ❌ |
("https", "r.wildlife.museum")
| ("https", "sub.r.wildlife.museum")
| ✅ | ✅ |
("https", "r.wildlife.museum")
| ("https", "sub.other.r.wildlife.museum")
| ✅ | ✅ |
("https", "r.wildlife.museum")
| ("https", "other.wildlife.museum")
| ❌ | ❌ |
("https", "r.wildlife.museum")
| ("https", "wildlife.museum")
| ❌ | ❌ |
("https", "wildlife.museum")
| ("https", "wildlife.museum")
| ✅ | ✅ |
(Here we have omitted the port and domain components since they are not considered.)
Support in all current engines.
domain [ = domain ]Returns the current domain used for security checks.
Can be set to a value that removes subdomains, to change the origin's domain to allow pages on other subdomains of the same domain (if they do the same thing) to access each other. This enables pages on different hosts of a domain to synchronously access each other's DOMs.
In sandboxed iframes, Documents with opaque origins, Documents without a browsing context, and when the "document-domain" feature is disabled, the setter will
throw a "SecurityError" exception. In cases where crossOriginIsolated or originIsolated return true, the setter will do nothing.
Avoid using the document.domain
setter. It undermines the security protections provided by the same-origin policy. This is
especially acute when using shared hosting; for example, if an untrusted third party is able to
host an HTTP server at the same IP address but on a different port, then the same-origin
protection that normally protects two different sites on the same host will fail, as the ports
are ignored when comparing origins after the document.domain setter has been used.
Because of these security pitfalls, this feature is in the process of being removed from the web platform. (This is a long process that takes many years.)
Instead, use postMessage() or
MessageChannel objects to communicate across origins in a safe manner.
The domain getter steps are:
Let effectiveDomain be this's origin's effective domain.
If effectiveDomain is null, then return the empty string.
Return effectiveDomain, serialized.
The domain setter steps are:
If this's browsing context is null,
then throw a "SecurityError" DOMException.
If this's active sandboxing flag set has its sandboxed
document.domain browsing context flag set, then
throw a "SecurityError" DOMException.
If this is not allowed to use the "document-domain" feature, then throw a
"SecurityError" DOMException.
Let effectiveDomain be this's origin's effective domain.
If effectiveDomain is null, then throw a
"SecurityError" DOMException.
If the given value is not
a registrable domain suffix of and is not equal to effectiveDomain, then throw
a "SecurityError" DOMException.
If the surrounding agent's agent cluster's cross-origin isolated is true, then return.
If the surrounding agent's agent cluster's origin-isolated is true, then return.
Set this's origin's domain to the result of parsing the given value.
To determine if a string hostSuffixString is a registrable domain suffix of or is equal to a host originalHost, run these steps:
If hostSuffixString is the empty string, then return false.
Let host be the result of parsing hostSuffixString.
If host is failure, then return false.
If host does not equal originalHost, then:
If host or originalHost is not a domain, then return false.
This excludes hosts that are an IPv4 address or an IPv6 address.
If host, prefixed by a U+002E FULL STOP (.), does not exactly match the end of originalHost, then return false.
If host equals host's public suffix, then return false. [URL]
Return true.
originIsolatedReturns true if this Window is origin-isolated in the manner described in this
section.
A Document delivered over a secure context can opt in to origin
isolation, by using the `Origin-Isolation` HTTP
response header. This header is a structured header
whose value must be a boolean. [STRUCTURED-FIELDS]
Per the processing model in the create
and initialize a new Document object, values that are not the structured
header boolean true value (i.e., `?1`) will be ignored.
The consequences of using this header are that the resulting
Document's agent cluster key is its origin, instead of the
corresponding site. In terms of observable effects, this means
that attempting to relax the same-origin
restriction using document.domain will instead do
nothing, and it will not be possible to send WebAssembly.Module objects to
cross-origin Documents (even if they are same site). Behind the scenes,
this isolation can allow user agents to allocate implementation-specific resources corresponding
to agent clusters, such as processes or threads, more
efficiently.
Note that within a browsing context group, the `Origin-Isolation` header can never cause same-origin
Document objects to end up in different agent
clusters, even if one sends the header and the other doesn't. This is
prevented by means of the historical agent cluster key map.
This means that the originIsolated getter
can return false, even if the header is set, if the header was omitted on a previously-loaded
same-origin page in the same browsing context group. Similarly, it can return true
even when the header is not set.
The originIsolated getter steps are
to return the surrounding agent's agent cluster's
origin-isolated.
Documents with an opaque
origin can be considered unconditionally origin-isolated; for them the header has no
effect.
Similarly, Documents in a cross-origin isolated
agent cluster are automatically origin-isolated. The `Origin-Isolation` header might be useful as an additional
hint to implementations about resource allocation, since the `Cross-Origin-Opener-Policy` and
`Cross-Origin-Embedder-Policy` headers used to achieve cross-origin isolation are
more about ensuring that everything in the same address space opts in to being there. But adding
it would have no additional observable effects on author code.
A sandboxing flag set is a set of zero or more of the following flags, which are used to restrict the abilities that potentially untrusted resources have:
This flag prevents content from navigating browsing contexts other than the sandboxed browsing context itself (or browsing contexts further nested inside it), auxiliary browsing contexts (which are protected by the sandboxed auxiliary navigation browsing context flag defined next), and the top-level browsing context (which is protected by the sandboxed top-level navigation without user activation browsing context flag and sandboxed top-level navigation with user activation browsing context flag defined below).
If the sandboxed auxiliary navigation browsing context flag is not set, then in certain cases the restrictions nonetheless allow popups (new top-level browsing contexts) to be opened. These browsing contexts always have one permitted sandboxed navigator, set when the browsing context is created, which allows the browsing context that created them to actually navigate them. (Otherwise, the sandboxed navigation browsing context flag would prevent them from being navigated even if they were opened.)
This flag prevents content from creating new auxiliary browsing
contexts, e.g. using the target attribute or
the window.open() method.
This flag prevents content from navigating their top-level browsing context and prevents content from closing their top-level browsing context. It is consulted only when the sandboxed browsing context's active window does not have transient activation.
When the sandboxed top-level navigation without user activation browsing context flag is not set, content can navigate its top-level browsing context, but other browsing contexts are still protected by the sandboxed navigation browsing context flag and possibly the sandboxed auxiliary navigation browsing context flag.
This flag prevents content from navigating their top-level browsing context and prevents content from closing their top-level browsing context. It is consulted only when the sandboxed browsing context's active window has transient activation.
As with the sandboxed top-level navigation without user activation browsing context flag, this flag only affects the top-level browsing context; if it is not set, other browsing contexts might still be protected by other flags.
This flag prevents content from instantiating plugins,
whether using the embed element, the object element, or through navigation of their nested browsing context,
unless those plugins can be secured.
This flag forces content into a unique origin, thus preventing it from accessing other content from the same origin.
This flag also prevents script from reading from or writing to the
document.cookie IDL attribute, and blocks access to
localStorage.
This flag blocks form submission.
This flag disables the Pointer Lock API. [POINTERLOCK]
This flag blocks script execution.
This flag blocks features that trigger automatically, such as automatically playing a video or automatically focusing a form control.
document.domain
browsing context flagThis flag prevents content from using the
document.domain setter.
This flag prevents content from escaping the sandbox by ensuring that any auxiliary browsing context it creates inherits the content's active sandboxing flag set.
This flag prevents content from using any of the following features to produce modal dialogs:
This flag disables the ability to lock the screen orientation. [SCREENORIENTATION]
This flag disables the Presentation API. [PRESENTATION]
This flag prevents content from initiating or instantiating downloads, whether through downloading hyperlinks or through navigation that gets handled as a download.
When the user agent is to parse a sandboxing directive, given a string input, a sandboxing flag set output, it must run the following steps:
Split input on ASCII whitespace, to obtain tokens.
Let output be empty.
Add the following flags to output:
The sandboxed auxiliary navigation browsing context flag, unless tokens contains the allow-popups keyword.
The sandboxed top-level navigation without user activation browsing context flag, unless
tokens contains the allow-top-navigation keyword.
The sandboxed top-level navigation with user activation browsing context flag, unless
tokens contains either the allow-top-navigation-by-user-activation
keyword or the allow-top-navigation keyword.
This means that if the allow-top-navigation is present, the allow-top-navigation-by-user-activation
keyword will have no effect. For this reason, specifying both is a document conformance error.
The sandboxed origin browsing context flag, unless the tokens contains the allow-same-origin
keyword.
The allow-same-origin keyword
is intended for two cases.
First, it can be used to allow content from the same site to be sandboxed to disable scripting, while still allowing access to the DOM of the sandboxed content.
Second, it can be used to embed content from a third-party site, sandboxed to prevent that site from opening popups, etc, without preventing the embedded page from communicating back to its originating site, using the database APIs to store data, etc.
The sandboxed forms browsing context flag, unless tokens contains the allow-forms keyword.
The sandboxed pointer lock browsing context flag, unless tokens contains the allow-pointer-lock
keyword.
The sandboxed scripts browsing context flag, unless tokens contains the allow-scripts keyword.
The sandboxed automatic features browsing context flag, unless tokens contains the allow-scripts keyword (defined above).
This flag is relaxed by the same keyword as scripts, because when scripts are enabled these features are trivially possible anyway, and it would be unfortunate to force authors to use script to do them when sandboxed rather than allowing them to use the declarative features.
The sandbox propagates to auxiliary browsing contexts flag, unless
tokens contains the allow-popups-to-escape-sandbox
keyword.
The sandboxed modals flag, unless tokens contains the allow-modals keyword.
The sandboxed orientation lock browsing context flag, unless
tokens contains the allow-orientation-lock
keyword.
The sandboxed presentation browsing context flag, unless tokens
contains the allow-presentation
keyword.
The sandboxed downloads browsing context flag, unless
tokens contains the allow-downloads keyword.
Every top-level browsing context has a popup sandboxing flag set, which is a sandboxing flag set. When a browsing context is created, its popup sandboxing flag set must be empty. It is populated by the rules for choosing a browsing context and the obtain a browsing context to use for a navigation response algorithm.
Every iframe element has an iframe sandboxing flag set,
which is a sandboxing flag set. Which flags in an iframe
sandboxing flag set are set at any particular time is determined by the iframe
element's sandbox attribute.
Every Document has an active sandboxing flag set,
which is a sandboxing flag set. When the Document is created, its
active sandboxing flag set must be empty. It is populated by the navigation algorithm.
Every resource that is obtained by the navigation algorithm has a forced sandboxing flag set, which is a sandboxing flag set. A resource by default has no flags set in its forced sandboxing flag set, but other specifications can define that certain flags are set.
In particular, the forced sandboxing flag set is used by Content Security Policy. [CSP]
To determine the creation sandboxing flags for a browsing context browsing context, given null or an element embedder, return the union of the flags that are present in the following sandboxing flag sets:
If embedder is null, then: the flags set on browsing context's popup sandboxing flag set.
If embedder is an element, then: the flags set on embedder's
iframe sandboxing flag set.
If embedder is an element, then: the flags set on embedder's node document's active sandboxing flag set.
After creation, the sandboxing flags for a browsing context browsing context are the result of determining the creation sandboxing flags given browsing context and browsing context's container.
A cross-origin opener policy allows a document which is navigated to in a top-level browsing context to force the creation of a new top-level browsing context, and a corresponding group. It has one of the following values:
unsafe-none"This is the (current) default and means that the document will occupy the same top-level browsing context as its predecessor, unless that document specified a different cross-origin opener policy.
same-origin-allow-popups"This forces the creation of a new top-level browsing context for the document, unless its predecessor specified the same cross-origin opener policy and they are same origin.
same-origin"This behaves the same as "same-origin-allow-popups", with the addition that
any auxiliary browsing context created needs to contain same origin
documents that also have the same cross-origin opener policy or it will appear
closed to the opener.
same-origin-plus-COEP"This behaves the same as "same-origin", with the
addition that it sets the (new) top-level browsing context's group's cross-origin isolated to
true.
"same-origin-plus-COEP" cannot
be directly set via the `Cross-Origin-Opener-Policy` header, but results
from a combination of setting both `Cross-Origin-Opener-Policy: same-origin` and `Cross-Origin-Embedder-Policy: require-corp` together.
To match cross-origin opener policies, given a cross-origin opener policy A, an origin originA, a cross-origin opener policy B, and an origin originB:
If A is "unsafe-none" and B
is "unsafe-none", then return true.
If A is "unsafe-none" or B is
"unsafe-none", then return false.
If A is B and originA is same origin with originB, then return true.
Return false.
Cross-Origin-Opener-Policy`
headerA Document's cross-origin opener
policy is derived from the `Cross-Origin-Opener-Policy` HTTP response header.
This header is a structured header whose value must
be a token. [STRUCTURED-FIELDS]
The valid token values are "unsafe-none", "same-origin-allow-popups", and "same-origin".
Per the processing model described below, user agents will ignore this header if it contains an invalid value. Likewise, user agents will ignore this header if the value cannot be parsed as a token.
To obtain a cross-origin opener policy given a response response and an environment reservedEnvironment:
If reservedEnvironment is a non-secure context, then return
"unsafe-none".
Let value be the result of getting a structured field value given
`Cross-Origin-Opener-Policy` and "item" from response's header list.
If value is null, then return "unsafe-none".
If value[0] is not "same-origin" or
"same-origin-allow-popups", then return
"unsafe-none".
If value[0] is "same-origin", then:
Let coep be the result of obtaining an embedder policy from response.
If coep's value is
"require-corp", then return "same-origin-plus-COEP".
Return value[0].
A cross-origin opener policy enforcement result is a struct with the following items:
A boolean needs a browsing context group switch.
An origin origin.
A cross-origin opener policy cross-origin opener policy.
To enforce a response's cross-origin opener policy, given a browsing context browsingContext, an origin responseOrigin, a cross-origin opener policy responseCOOP, and a cross-origin opener policy enforcement result currentCOOPEnforcementResult:
Let newCOOPEnforcementResult be a new cross-origin opener policy enforcement result whose needs a browsing context group switch is currentCOOPEnforcementResult's needs a browsing context group switch, origin is responseOrigin, and cross-origin opener policy is responseCOOP.
Let isInitialAboutBlank be false.
If browsingContext's only entry in its session history is the
about:blank Document that was added when browsingContext was
created, then set
isInitialAboutBlank to true.
If the result of matching currentCOOPEnforcementResult's cross-origin opener policy, currentCOOPEnforcementResult's origin, responseCOOP, and responseOrigin is true, then return newCOOPEnforcementResult.
If all of the following are true:
isInitialAboutBlank
currentCOOPEnforcementResult's cross-origin opener policy is "same-origin-allow-popups"
responseCOOP is "unsafe-none"
then return newCOOPEnforcementResult.
Set newCOOPEnforcementResult's needs a browsing context group switch to true.
Return newCOOPEnforcementResult.
To obtain a browsing context to use for a navigation response, given a browsing context browsingContext, a sandboxing flag set sandboxFlags, and a cross-origin opener policy navigationCOOP:
Assert: browsingContext is a top-level browsing context.
Let newBrowsingContext be the result of creating a new top-level browsing context.
If navigationCOOP is "same-origin-plus-COEP", then set
newBrowsingContext's group's cross-origin isolated to true.
If sandboxFlags is not empty, then:
Assert: navigationCOOP is "unsafe-none".
Assert: newBrowsingContext's popup sandboxing flag set is empty.
Set newBrowsingContext's popup sandboxing flag set to a clone of sandboxFlags.
Discard browsingContext.
This has no effect on browsingContext's group, unless browsingContext was its sole top-level browsing context. In that case, the user agent might delete the browsing context group which no longer contains any browsing contexts.
Return newBrowsingContext.
The impact of swapping browsing context groups following a navigation is not fully defined. It is currently under discussion in issue #5350.
Headers/Cross-Origin-Embedder-Policy
Support in all current engines.
An embedder policy value controls the fetching of cross-origin resources without explicit permission from resource owners. There are two such values:
unsafe-none"This is the default value. When this value is used, cross-origin resources can be fetched
without giving explicit permission through the CORS protocol or the
`Cross-Origin-Resource-Policy` header.
require-corp"When this value is used, fetching cross-origin resources requires the server's
explicit permission through the CORS protocol or the
`Cross-Origin-Resource-Policy` header.
An embedder policy consists of:
A value, which is an embedder policy value, initially "unsafe-none".
A reporting endpoint string, initially the empty string.
A report only value, which is an embedder policy value, initially
"unsafe-none".
A report only reporting endpoint string, initially the empty string.
The "coep" report type is a report type whose value
is "coep". It is visible to
ReportingObservers.
The `Cross-Origin-Embedder-Policy` and
`Cross-Origin-Embedder-Policy-Report-Only` HTTP response header fields allow a server
to declare an embedder policy for an environment settings object. These
headers are structured headers whose values must be
token. [STRUCTURED-FIELDS]
The valid token values are the embedder policy values. The token may also have attached parameters; of these, the "report-to" parameter can have a valid URL
string identifying an appropriate reporting endpoint. [REPORTING]
The processing model fails open (by defaulting
to "unsafe-none") in the presence of a header that cannot
be parsed as a token. This includes inadvertent lists created by combining multiple instances of
the `Cross-Origin-Embedder-Policy` header present in a given response:
`Cross-Origin-Embedder-Policy` | Final embedder policy value |
|---|---|
| No header delivered | "unsafe-none" |
`require-corp` | "require-corp" |
`unknown-value` | "unsafe-none" |
`require-corp, unknown-value` | "unsafe-none" |
`unknown-value, unknown-value` | "unsafe-none" |
`unknown-value, require-corp` | "unsafe-none" |
`require-corp, require-corp` | "unsafe-none" |
(The same applies to `Cross-Origin-Embedder-Policy-Report-Only`.)
To obtain an embedder policy from a response response:
Let policy be a new embedder policy.
Let parsedItem be the result of getting a structured field value
with `Cross-Origin-Embedder-Policy` and "item" from
response's header list.
If parsedItem is non-null and parsedItem[0] is "require-corp":
Set parsedItem to the result of getting a structured field value
with `Cross-Origin-Embedder-Policy-Report-Only` and "item"
from response's header
list.
If parsedItem is non-null and parsedItem[0] is "require-corp":
Set policy's report only
value to "require-corp".
If parsedItem[1]["report-to"] exists, then set policy's report only reporting endpoint
to parsedItem[1]["report-to"].
Return policy.
To check a navigation response's adherence to its embedder policy given a response response and a browsing context target:
If target is not a child browsing context, then return true.
Let responsePolicy be the result of obtaining an embedder policy from response.
Let parentPolicy be target's container document's embedder policy.
If parentPolicy's report only
value is "require-corp" and
responsePolicy's value is "unsafe-none", then queue a cross-origin embedder policy
inheritance violation with response, "navigation",
parentPolicy's report
only reporting endpoint, "reporting", and target's container document's relevant settings
object.
If parentPolicy's value is "unsafe-none" or responsePolicy's value is "require-corp", then return true.
Queue a cross-origin embedder policy inheritance violation with
response, "navigation", parentPolicy's reporting endpoint,
"enforce", and target's
container document's relevant settings
object.
Return false.
To check a global object's embedder policy given a WorkerGlobalScope
workerGlobalScope, an environment settings object owner, and
a response response:
If workerGlobalScope is not a DedicatedWorkerGlobalScope object,
then return true.
Let policy be workerGlobalScope's embedder policy.
Let ownerPolicy be owner's embedder policy.
If ownerPolicy's report only
value is "require-corp" and policy's
value is "unsafe-none", then queue a cross-origin embedder policy
inheritance violation with response, "worker
initialization", owner's policy's report only reporting endpoint,
"reporting", and owner.
If ownerPolicy's value is "unsafe-none" or policy's value is "require-corp", then return true.
Queue a cross-origin embedder policy inheritance violation with
response, "worker initialization", owner's policy's
reporting endpoint,
"enforce", and owner.
Return false.
To queue a cross-origin embedder policy inheritance violation given a response response, a string type, a string endpoint, a string disposition, and an environment settings object settings:
Let serialized be the result of serializing a response URL for reporting with response.
Let body be a new object containing the following properties:
| key | value |
|---|---|
| type | type |
| blockedURL | serialized |
| disposition | disposition |
Queue body as the
"coep" report type for endpoint on settings.