"Same-site" and "same-origin" are frequently cited but often misunderstood
terms. For example, they're used in the context of page transitions,
fetch() requests, cookies, opening popups, embedded resources, and
iframes. This page explains what they are and how they're different from each
other.
Origin
"Origin" is a combination of a
scheme
(also known as the
protocol, for
example HTTP or
HTTPS), a
hostname, and a
port
(if specified). For example, given a URL of https://www.example.com:443/foo ,
the "origin" is https://www.example.com:443.
"Same-origin" and "cross-origin"
Websites that have the same combination of scheme, hostname, and port are considered "same-origin". Everything else is considered "cross-origin".
| Origin A | Origin B | "Same-origin" or "cross-origin"? |
|---|---|---|
| https://www.example.com:443 | https://www.evil.com:443 | Cross-origin: different domains |
| https://example.com:443 | Cross-origin: different subdomains | |
| https://login.example.com:443 | Cross-origin: different subdomains | |
| http://www.example.com:443 | Cross-origin: different schemes | |
| https://www.example.com:80 | Cross-origin: different ports | |
| https://www.example.com:443 | Same-origin: exact match | |
| https://www.example.com | Same-origin: implicit port number (443) matches |
Site
Top-level domains (TLDs) such
as .com and .org are listed in the
Root Zone Database. In the previous
example, "site" is a combination of the
scheme,
the TLD, and the part of the
domain just before it (We call it TLD+1). For example, given a URL of
https://www.example.com:443/foo, the "site" is https://example.com.
Public Suffix List and eTLD
For domains with elements such as .co.jp or .github.io, just using .jp or
.io isn't specific enough to identify the "site". There's no way to
algorithmically determine the level of registrable domains for a particular TLD.
To help with that, the Public Suffix List
defines a list of public suffixes, also called effective TLDs (eTLDs). The
list of eTLDs is maintained at publicsuffix.org/list.
To identify the "site" part of a domain that includes an eTLD, apply the same
practice as the example with .com. Taking
https://www.project.github.io:443/foo as an example, the scheme is https,
the eTLD is .github.io and the eTLD+1 is project.github.io, so
https://project.github.io is considered the "site" for this URL.
"same-site" and "cross-site"
Websites that have the same scheme and the same eTLD+1 are considered "same-site". Websites that have a different scheme or a different eTLD+1 are "cross-site".
| Origin A | Origin B | "Same-site" or "cross-site"? |
|---|---|---|
| https://www.example.com:443 | https://www.evil.com:443 | Cross-site: different domains |
| https://login.example.com:443 | Same-site: different subdomains don't matter | |
| http://www.example.com:443 | Cross-site: different schemes | |
| https://www.example.com:80 | Same-site: different ports don't matter | |
| https://www.example.com:443 | Same-site: exact match | |
| https://www.example.com | Same-site: ports don't matter |
"Schemeless same-site"
The definition of "same-site" changed to include the URL scheme as part of the
site to prevent HTTP being used as a
weak channel.
The older concept of "same-site" without scheme comparison is now called
"schemeless same-site". For example, http://www.example.com and
https://www.example.com are considered schemeless same-site but not same-site,
because only the eTLD+1 part matters and the scheme isn't considered.
| Origin A | Origin B | "Schemeless same-site" or "cross-site"? |
|---|---|---|
| https://www.example.com:443 | https://www.evil.com:443 | Cross-site: different domains |
| https://login.example.com:443 | Schemeless same-site: different subdomains don't matter | |
| http://www.example.com:443 | Schemeless same-site: different schemes don't matter | |
| https://www.example.com:80 | Schemeless same-site: different ports don't matter | |
| https://www.example.com:443 | Schemeless same-site: exact match | |
| https://www.example.com | Schemeless same-site: ports don't matter |
How to check if a request is "same-site", "same-origin", or "cross-site"
All modern browsers send requests with a
Sec-Fetch-Site HTTP header.
The header has one of the following values:
cross-sitesame-site(refers to schemeful same-site)same-originnone
You can examine the value of Sec-Fetch-Site to determine whether the request
is same-site, same-origin, or cross-site.
You can reasonably trust the value of the Sec-Fetch-Site header, because:
- HTTP headers starting with
Sec-can't be modified by JavaScript - The browser always sets these headings.