The origin of a resource and the effective script origin of a resource are both either opaque identifiers or tuples consisting of a scheme component, a host component, a port component, and optionally extra data.
The extra data could include the certificate of the site when using encrypted connections, to ensure that if the site's secure certificate changes, the origin is considered to change as well.
An origin or effective script origin can be defined as an alias to another origin or effective script origin. The value of the origin or effective script origin is then the value of the origin or effective script origin to which it is an alias.
These characteristics are defined as follows:
The origin and effective script origin of the URL are the origin defined in The Web Origin Concept. [ORIGIN]
Document objectsDocument's active
sandboxing flag set has its sandboxed origin
browsing context flag setThe origin is a globally unique identifier
assigned when the Document is created.
The effective script origin is initially an
alias to the
origin of the Document.
Document was generated from a javascript:
URLThe origin is an alias to the
origin of the script of that javascript:
URL.
The effective script origin is initially an
alias to the
origin of the Document.
Document was served over the network and
has an address that uses a URL scheme with a server-based naming
authorityThe origin is an alias to the
origin of the Document's
address.
The effective script origin is initially an
alias to the
origin of the Document.
Document was generated from a data: URL that
was returned as the location of an HTTP redirect (or equivalent in
other protocols)The origin is an alias to the
origin of the URL that redirected to
the data:
URL.
The effective script origin is initially an
alias to the
origin of the Document.
Document was generated from a data: URL
found in another Document or in a scriptThe origin is an alias to the
origin of the Document or script that
initiated the navigation to that
URL.
The effective script origin is initially an
alias to the
effective script origin of the
Document or script that initiated the navigation to that URL.
Document has the address
"about:blank"The origin and effective script
origin of the Document are those it was assigned when its
browsing context was created.
Document is an iframe srcdoc documentThe origin of the Document is an
alias to the
origin of the Document's
browsing context's browsing context
container's Document.
The effective script origin is initially an
alias to the
effective script origin of the
Document's browsing context's
browsing context container's
Document.
Document was obtained in some other manner
(e.g. a data:
URL typed in by the user, a Document created
using the createDocument()
API, etc)The origin is a globally unique identifier
assigned when the Document is created.
The effective script origin is initially an
alias to the
origin of the Document.
The effective script origin of a
Document can be manipulated using the document.domain IDL
attribute.
img element and
its image data is CORS-cross-originimg element and
its image data is CORS-same-originimg element's
Document.Images do not have an effective script origin.
audio and video elementsDocument.Media elements do not have an effective script origin.
The origin of a downloadable Web font is an alias to the origin of the absolute URL used to obtain the font (after any redirects). [CSSFONTS]
The origin of a locally installed system font is
an alias to the
origin of the Document in which that
font is being used.
Fonts do not have an effective script origin.
The origin and effective script origin of a script are determined from another resource, called the owner:
script elementDocument to which the
script element belongs.Document to which the
attribute node belongs.javascript: URL that was returned as the
location of an HTTP redirect (or equivalent in
other protocols)javascript: URL.javascript: URL in an attributeDocument of the element on
which the attribute is found.javascript: URL in a style sheetjavascript: URL to which a browsing
context is being navigated,
the URL having been provided by the user (e.g. by using a
bookmarklet)Document of the browsing
context's active document.javascript: URL to which a browsing
context is being navigated,
the URL having been declared in markupDocument of the element
(e.g. an a or area element) that
declared the URL.javascript: URL to which a browsing
context is being navigated,
the URL having been provided by scriptThe origin of the script is then an alias to the origin of the owner, and the effective script origin of the script is an alias to the effective script origin of the owner.
Other specifications can override the above definitions by
themselves specifying the origin of a particular URL,
Document, image, media element, font, or
script.
The Unicode serialization of an origin is the string obtained by applying the following algorithm to the given origin:
If the origin in question is not a
scheme/host/port tuple, then return the literal string "null" and abort these steps.
Otherwise, let result be the scheme part of the origin tuple.
Append the string "://" to result.
Apply the IDNA ToUnicode algorithm to each component of the host part of the origin tuple, and append the results — each component, in the same order, separated by U+002E FULL STOP characters (.) — to result. [RFC3490]
If the port part of the origin tuple gives a port that is different from the default port for the protocol given by the scheme part of the origin tuple, then append a U+003A COLON character (:) and the given port, in base ten, to result.
Return result.
The ASCII serialization of an origin is the string obtained by applying the following algorithm to the given origin:
If the origin in question is not a
scheme/host/port tuple, then return the literal string "null" and abort these steps.
Otherwise, let result be the scheme part of the origin tuple.
Append the string "://" to result.
Apply the IDNA ToASCII algorithm the host part of the origin tuple, with both the AllowUnassigned and UseSTD3ASCIIRules flags set, and append the results result.
If ToASCII fails to convert one of the components of the string, e.g. because it is too long or because it contains invalid characters, then return the empty string and abort these steps. [RFC3490]
If the port part of the origin tuple gives a port that is different from the default port for the protocol given by the scheme part of the origin tuple, then append a U+003A COLON character (:) and the given port, in base ten, to result.
Return result.
Two origins are said to be the same origin if the following algorithm returns true:
Let A be the first origin being compared, and B be the second origin being compared.
If A and B are both opaque identifiers, and their value is equal, then return true.
Otherwise, if either A or B or both are opaque identifiers, return false.
If A and B have scheme components that are not identical, return false.
If A and B have host components that are not identical, return false.
If A and B have port components that are not identical, return false.
If either A or B have additional data, but that data is not identical for both, return false.
Return true.
domain [ = domain ]Returns the current domain used for security checks.
Can be set to a value that removes subdomains, to change the effective script origin to allow pages on other subdomains of the same domain (if they do the same thing) to access each other.
The domain
attribute on Document objects must be initialized to
the document's domain, if it has one, and the empty
string otherwise. If the value is an IPv6 address, then the square
brackets from the host portion of the <host> component must be omitted from
the attribute's value.
On getting, the attribute must return its current value, unless
the Document has no browsing context, in
which case it must return the empty string.
On setting, the user agent must run the following algorithm:
If the Document has no browsing
context, throw a SecurityError exception and
abort these steps.
If the new value is an IP address, let new value be the new value. Otherwise, apply the IDNA ToASCII algorithm to the new value, with both the AllowUnassigned and UseSTD3ASCIIRules flags set, and let new value be the result of the ToASCII algorithm.
If ToASCII fails to convert one of the components of the
string, e.g. because it is too long or because it contains invalid
characters, then throw a SecurityError exception and abort
these steps. [RFC3490]
If new value is not exactly equal to the
current value of the document.domain attribute, then
run these substeps:
If the current value is an IP address, throw a
SecurityError exception and abort these steps.
If new value, prefixed by a U+002E FULL
STOP (.), does not exactly match the end of the current value,
throw a SecurityError exception and abort these
steps.
If new value matches a suffix in the
Public Suffix List, or, if new value,
prefixed by a U+002E FULL STOP (.), matches the end of a
suffix in the Public Suffix List, then throw a
SecurityError exception and abort these steps. [PSL]
Suffixes must be compared after applying the IDNA ToASCII algorithm to them, with both the AllowUnassigned and UseSTD3ASCIIRules flags set, in an ASCII case-insensitive manner. [RFC3490]
Release the storage mutex.
Set the attribute's value to new value.
If the effective script origin of the
Document is an alias, set it to the value of
the effective script origin (essentially de-aliasing
the effective script origin).
If new value is not the empty string, then run these substeps:
Set the host part of the effective script origin
tuple of the Document to new
value.
Set the port part of the effective script origin
tuple of the Document to "manual override" (a value
that, for the purposes of comparing
origins, is identical to "manual override" but not
identical to any other value).
The domain of a
Document is the host part of the document's
origin, if the value of that origin is a
scheme/host/port tuple. If it isn't, then the document does not have
a domain.
The domain
attribute is used to enable pages on different hosts of a domain to
access each others' DOMs.
Do not use the document.domain attribute when
using shared hosting. If an untrusted third party is able to host an
HTTP server at the same IP address but on a different port, then the
same-origin protection that normally protects two different sites on
the same host will fail, as the ports are ignored when comparing
origins after the document.domain attribute has
been used.
A sandboxing flag set is a set of zero or more of the following flags, which are used to restrict the abilities that potentially untrusted resources have:
This flag prevents content from navigating browsing contexts other than the sandboxed browsing context itself (or browsing contexts further nested inside it), auxiliary browsing contexts (which are protected by the sandboxed auxiliary navigation browsing context flag defined next), and the top-level browsing context (which is protected by the sandboxed top-level navigation browsing context flag defined below).
If the sandboxed auxiliary navigation browsing context flag is not set, then in certain cases the restrictions nonetheless allow popups (new top-level browsing contexts) to be opened. These browsing contexts always have one permitted sandboxed navigator, set when the browsing context is created, which allows the browsing context that created them to actually navigate them. (Otherwise, the sandboxed navigation browsing context flag would prevent them from being navigated even if they were opened.)
This flag prevents content from creating new auxiliary browsing
contexts, e.g. using the target attribute, the
window.open() method, or the showModalDialog() method.
This flag prevents content from navigating their top-level browsing context.
When the sandboxed top-level navigation browsing context flag is not set, content can navigate its top-level browsing context, but other browsing contexts are still protected by the sandboxed navigation browsing context flag and possibly the sandboxed auxiliary navigation browsing context flag.
This flag prevents content from instantiating plugins, whether
using the embed element, the object element, the applet element, or through navigation of a nested browsing context, unless
those plugins can be secured.
This flag prevents content from using the seamless
attribute on descendant iframe elements.
This prevents a page inserted using the allow-same-origin keyword from using a
CSS-selector-based method of probing the DOM of other pages on the same site (in particular,
pages that contain user-sensitive information).
This flag forces content into a unique origin, thus preventing it from accessing other content from the same origin.
This flag also prevents script from reading from or writing to the
document.cookie IDL attribute, and blocks access to
localStorage.
This flag blocks form submission.
This flag disables the Pointer Lock API. [POINTERLOCK]
This flag blocks script execution.
This flag blocks features that trigger automatically, such as automatically playing a video or automatically focusing a form control.
This flag prevents content from using the requestFullScreen() method.
When the user agent is to parse a sandboxing directive, given a string input, a sandboxing flag set output, and optionally an allow fullscreen flag, it must run the following steps:
Split input on spaces, to obtain tokens.
Let output be empty.
Add the following flags to output:
The sandboxed auxiliary navigation browsing context flag, unless tokens contains the allow-popups keyword.
The sandboxed top-level navigation browsing context flag, unless tokens contains the allow-top-navigation
keyword.
The sandboxed origin browsing context flag, unless the tokens contains the allow-same-origin
keyword.
The allow-same-origin keyword
is intended for two cases.
First, it can be used to allow content from the same site to be sandboxed to disable scripting, while still allowing access to the DOM of the sandboxed content.
Second, it can be used to embed content from a third-party site, sandboxed to prevent that site from opening pop-up windows, etc, without preventing the embedded page from communicating back to its originating site, using the database APIs to store data, etc.
The sandboxed forms browsing context flag, unless tokens contains the allow-forms keyword.
The sandboxed pointer lock browsing context flag, unless tokens contains the allow-pointer-lock
keyword.
The sandboxed scripts browsing context flag, unless tokens contains the allow-scripts keyword.
The sandboxed automatic features browsing context flag, unless tokens contains the allow-scripts keyword (defined above).
This flag is relaxed by the same keyword as scripts, because when scripts are enabled these features are trivially possible anyway, and it would be unfortunate to force authors to use script to do them when sandboxed rather than allowing them to use the declarative features.
The sandboxed fullscreen browsing context flag, unless the allow fullscreen flag was passed to the parse a sandboxing directive flag.
Every top-level browsing context has a popup sandboxing flag set, which is a sandboxing flag set. When a browsing context is created, its popup sandboxing flag set must be empty. It is populated by the rules for choosing a browsing context given a browsing context name.
Every nested browsing context has an
iframe sandboxing flag set, which is a
sandboxing flag set. Which flags in a nested
browsing context's iframe sandboxing flag
set are set at any particular time is determined by the
iframe element's sandbox attribute.
Every Document has an active sandboxing flag
set, which is a sandboxing flag set. When the
Document is created, its active sandboxing flag
set must be empty. It is populated by the navigation algorithm.
Every resource that is obtained by the navigation algorithm has a forced sandboxing flag set, which is a sandboxing flag set. A resource by default has no flags set in its forced sandboxing flag set, but other specifications can define that certain flags are set.
In particular, the forced sandboxing flag set is used by the Content Security Policy specification. [CSP]
When a user agent is to implement the sandboxing for a Document, it
must populate Document's active sandboxing flag set with the union of
the flags that are present in the following sandboxing flag
sets at the time the Document object is created:
If the Document's browsing context is a top-level browsing
context, then: the flags set on the browsing context's popup sandboxing
flag set.
If the Document's browsing context is a nested browsing
context, then: the flags set on the browsing context's
iframe sandboxing flag set.
If the Document's browsing context is a nested browsing
context, then: the flags set on the browsing context's parent browsing
context's active document's active sandboxing flag set.
The flags set on the Document's resource's forced sandboxing flag
set, if it has one.