Web Origin


Web Origin is described in RFC 6454 as "Roughly speaking", two URIs are part of the same Web Origin (i.e., represent the same principal) if they have the same URI Scheme, hostname, and port.

Web Origin is a concept and both a Security Consideration and a Privacy Consideration which sets the Security Domain and the Trust level for the current transaction.

In this context, "other origins" means the URL being accessed differs from the location that the JavaScript is running from, by having:

Web Origin is the HTTP Request Header "Origin"

The HTTP Request Header field has the following syntax: RFC 6454 section 7.1

  • origin = "Origin:" OWS origin-list-or-null OWS
  • origin-list-or-null = %x6E %x75 %x6C %x6C / origin-list
  • origin-list = serialized-origin *( SP serialized-origin )
  • serialized-origin = scheme "://" host [ ":" port ] ; <scheme>, <host>, <port> from RFC 3986

Web Origin is used in the Fetch API as defined by WHATWG

More Information#

There might be more information for this subject on one of the following: