6.3 Origin

Origins are the fundamental currency of the Web's security model. Two actors in the Web platform that share an origin are assumed to trust each other and to have the same authority. Actors with differing origins are considered potentially hostile versus each other, and are isolated from each other to varying degrees.

For example, if Example Bank's Web site, hosted at bank.example.com, tries to examine the DOM of Example Charity's Web site, hosted at charity.example.org, a SecurityError exception will be raised.


The origin of a resource and the effective script origin of a resource are both either opaque identifiers or tuples consisting of a scheme component, a host component, a port component, and optionally extra data.

The extra data could include the certificate of the site when using encrypted connections, to ensure that if the site's secure certificate changes, the origin is considered to change as well.

An origin or effective script origin can be defined as an alias to another origin or effective script origin. The value of the origin or effective script origin is then the value of the origin or effective script origin to which it is an alias.

These characteristics are defined as follows:

For URLs

The origin and effective script origin of the URL are the origin defined in The Web Origin Concept. [ORIGIN]

For Document objects
If a Document's active sandboxing flag set has its sandboxed origin browsing context flag set

The origin is a globally unique identifier assigned when the Document is created.

The effective script origin is initially an alias to the origin of the Document.

If a Document was served over the network and has an address that uses a URL scheme with a server-based naming authority

The origin is an alias to the origin of the Document's address.

The effective script origin is initially an alias to the origin of the Document.

If a Document was generated from a data: URL found in another Document or in a script

The origin is an alias to the origin specified by the incumbent settings object when the navigate algorithm was invoked, or, if no script was involved, of the Document of the element that initiated the navigation to that URL.

The effective script origin is initially an alias to the effective script origin of that same script settings object or Document.

If a Document is the initial "about:blank" document

The origin and effective script origin of the Document are those it was assigned when its browsing context was created.

If a Document was created as part of the processing for javascript: URLs

The origin is an alias to the origin of the active document of the browsing context being navigated when the navigate algorithm was invoked.

The effective script origin is initially an alias to the effective script origin of that same Document.

If a Document is an iframe srcdoc document

The origin of the Document is an alias to the origin of the Document's browsing context's browsing context container's Document.

The effective script origin is initially an alias to the effective script origin of the Document's browsing context's browsing context container's Document.

If a Document was obtained in some other manner (e.g. a data: URL typed in by the user or that was returned as the location of an HTTP redirect (or equivalent in other protocols), a Document created using the createDocument() API, etc)

The default behavior as defined in the DOM standard applies. [DOM].

The origin is a globally unique identifier assigned when the Document is created, and the effective script origin is initially an alias to the origin of the Document.

The effective script origin of a Document can be manipulated using the document.domain IDL attribute.

For images of img elements
If the image data is CORS-cross-origin
The origin is a globally unique identifier assigned when the image is created.
If the image data is CORS-same-origin
The origin is an alias to the origin of the img element's Document.

Images do not have an effective script origin.

For audio and video elements
If the media data is CORS-cross-origin
The origin is a globally unique identifier assigned when the media data is fetched.
If the media data is CORS-same-origin
The origin is an alias to the origin of the media element's Document.

Media elements do not have an effective script origin.

For fonts

The origin of a downloadable Web font is an alias to the origin of the absolute URL used to obtain the font (after any redirects). [CSSFONTS] [CSSFONTLOAD]

The origin of a locally installed system font is an alias to the origin of the Document in which that font is being used.

Fonts do not have an effective script origin.

Other specifications can override the above definitions by themselves specifying the origin of a particular URL, Document, image, media element, or font.


The Unicode serialization of an origin is the string obtained by applying the following algorithm to the given origin:

  1. If the origin in question is not a scheme/host/port tuple, then return the literal string "null" and abort these steps.

  2. Otherwise, let result be the scheme part of the origin tuple.

  3. Append the string "://" to result.

  4. Apply the domain label to Unicode algorithm to each component of the host part of the origin tuple, and append the results — each component, in the same order, separated by U+002E FULL STOP characters (.) — to result. [URL]

  5. If the port part of the origin tuple gives a port that is different from the default port for the protocol given by the scheme part of the origin tuple, then append a U+003A COLON character (:) and the given port, in base ten, to result.

  6. Return result.

The ASCII serialization of an origin is the string obtained by applying the following algorithm to the given origin:

  1. If the origin in question is not a scheme/host/port tuple, then return the literal string "null" and abort these steps.

  2. Otherwise, let result be the scheme part of the origin tuple.

  3. Append the string "://" to result.

  4. Apply the domain label to ASCII algorithm to each component of the host part of the origin tuple, and append the results — each component, in the same order, separated by U+002E FULL STOP characters (.) — to result. [URL]

    If the ToASCII algorithm used by the domain label to ASCII algorithm fails to convert one of the components of the string, e.g. because it is too long or because it contains invalid characters, then throw a SecurityError exception and abort these steps. [RFC3490]

  5. If the port part of the origin tuple gives a port that is different from the default port for the protocol given by the scheme part of the origin tuple, then append a U+003A COLON character (:) and the given port, in base ten, to result.

  6. Return result.

Two origins are said to be the same origin if the following algorithm returns true:

  1. Let A be the first origin being compared, and B be the second origin being compared.

  2. If A and B are both opaque identifiers, and their value is equal, then return true.

  3. Otherwise, if either A or B or both are opaque identifiers, return false.

  4. If A and B have scheme components that are not identical, return false.

  5. If A and B have host components that are not identical, return false.

  6. If A and B have port components that are not identical, return false.

  7. If either A or B have additional data, but that data is not identical for both, return false.

  8. Return true.

6.3.1 Relaxing the same-origin restriction

document . domain [ = domain ]

Returns the current domain used for security checks.

Can be set to a value that removes subdomains, to change the effective script origin to allow pages on other subdomains of the same domain (if they do the same thing) to access each other. (Can't be set in sandboxed iframes.)

The domain attribute on Document objects must be initialized to the document's domain, if it has one, and the empty string otherwise. If the document's domain starts with a U+005B LEFT SQUARE BRACKET character ([) and ends with a U+005D RIGHT SQUARE BRACKET character (]), it is an IPv6 address; these square brackets must be omitted when initializing the attribute's value.

On getting, the attribute must return its current value, unless the Document has no browsing context, in which case it must return the empty string.

On setting, the user agent must run the following algorithm:

  1. If the Document has no browsing context, throw a SecurityError exception and abort these steps.

  2. If the Document's active sandboxing flag set has its sandboxed document.domain browsing context flag set, throw a SecurityError exception and abort these steps.

  3. If the new value is an IPv4 or IPv6 address, let new value be the new value.

    Otherwise, strictly split the new value on U+002E FULL STOP characters (.), apply the domain label to ASCII algorithm to each returned token, and let new value be the result of concatenating the results of applying that algorithm to each token, in the same order, separated by U+002E FULL STOP characters (.). [URL]

    If the ToASCII algorithm used by the domain label to ASCII algorithm fails to convert one of the components of the string, e.g. because it is too long or because it contains invalid characters, then throw a SecurityError exception and abort these steps. [RFC3490]

  4. If new value is not exactly equal to the current value of the document.domain attribute, then run these substeps:

    1. If the current value is an IPv4 or IPv6 address, throw a SecurityError exception and abort these steps.

    2. If new value, prefixed by a U+002E FULL STOP (.), does not exactly match the end of the current value, throw a SecurityError exception and abort these steps.

      If the new value is an IPv4 or IPv6 address, it cannot match the new value in this way and thus an exception will be thrown here.

    3. If new value matches a suffix in the Public Suffix List, or, if new value, prefixed by a U+002E FULL STOP (.), matches the end of a suffix in the Public Suffix List, then throw a SecurityError exception and abort these steps. [PSL]

      Suffixes must be compared in an ASCII case-insensitive manner, after applying the domain label to ASCII algorithm to their individual components, . [URL]

  5. Release the storage mutex.

  6. Set the attribute's value to new value.

  7. If the effective script origin of the Document is an alias, set it to the value of the effective script origin (essentially de-aliasing the effective script origin).

  8. If new value is not the empty string, then run these substeps:

    1. Set the host part of the effective script origin tuple of the Document to new value.

    2. Set the port part of the effective script origin tuple of the Document to "manual override" (a value that, for the purposes of comparing origins, is identical to "manual override" but not identical to any other value).

The domain of a Document is the host part of the document's origin, if the value of that origin is a scheme/host/port tuple. If it isn't, then the document does not have a domain.

The domain attribute is used to enable pages on different hosts of a domain to access each others' DOMs.

Do not use the document.domain attribute when using shared hosting. If an untrusted third party is able to host an HTTP server at the same IP address but on a different port, then the same-origin protection that normally protects two different sites on the same host will fail, as the ports are ignored when comparing origins after the document.domain attribute has been used.

6.4 Sandboxing

A sandboxing flag set is a set of zero or more of the following flags, which are used to restrict the abilities that potentially untrusted resources have:

The sandboxed navigation browsing context flag

This flag prevents content from navigating browsing contexts other than the sandboxed browsing context itself (or browsing contexts further nested inside it), auxiliary browsing contexts (which are protected by the sandboxed auxiliary navigation browsing context flag defined next), and the top-level browsing context (which is protected by the sandboxed top-level navigation browsing context flag defined below).

If the sandboxed auxiliary navigation browsing context flag is not set, then in certain cases the restrictions nonetheless allow popups (new top-level browsing contexts) to be opened. These browsing contexts always have one permitted sandboxed navigator, set when the browsing context is created, which allows the browsing context that created them to actually navigate them. (Otherwise, the sandboxed navigation browsing context flag would prevent them from being navigated even if they were opened.)

The sandboxed auxiliary navigation browsing context flag

This flag prevents content from creating new auxiliary browsing contexts, e.g. using the target attribute, the window.open() method, or the showModalDialog() method.

The sandboxed top-level navigation browsing context flag

This flag prevents content from navigating their top-level browsing context and prevents content from closing their top-level browsing context.

When the sandboxed top-level navigation browsing context flag is not set, content can navigate its top-level browsing context, but other browsing contexts are still protected by the sandboxed navigation browsing context flag and possibly the sandboxed auxiliary navigation browsing context flag.

The sandboxed plugins browsing context flag

This flag prevents content from instantiating plugins, whether using the embed element, the object element, the applet element, or through navigation of a nested browsing context, unless those plugins can be secured.

The sandboxed seamless iframes flag

This flag prevents content from using the seamless attribute on descendant iframe elements.

This prevents a page inserted using the allow-same-origin keyword from using a CSS-selector-based method of probing the DOM of other pages on the same site (in particular, pages that contain user-sensitive information).

The sandboxed origin browsing context flag

This flag forces content into a unique origin, thus preventing it from accessing other content from the same origin.

This flag also prevents script from reading from or writing to the document.cookie IDL attribute, and blocks access to localStorage.

The sandboxed forms browsing context flag

This flag blocks form submission.

The sandboxed pointer lock browsing context flag

This flag disables the Pointer Lock API. [POINTERLOCK]

The sandboxed scripts browsing context flag

This flag blocks script execution.

The sandboxed automatic features browsing context flag

This flag blocks features that trigger automatically, such as automatically playing a video or automatically focusing a form control.

The sandboxed fullscreen browsing context flag

This flag prevents content from using the requestFullscreen() method.

The sandboxed document.domain browsing context flag

This flag prevents content from using the document.domain feature to change the effective script origin.

When the user agent is to parse a sandboxing directive, given a string input, a sandboxing flag set output, and optionally an allow fullscreen flag, it must run the following steps:

  1. Split input on spaces, to obtain tokens.

  2. Let output be empty.

  3. Add the following flags to output:


Every top-level browsing context has a popup sandboxing flag set, which is a sandboxing flag set. When a browsing context is created, its popup sandboxing flag set must be empty. It is populated by the rules for choosing a browsing context given a browsing context name.

Every nested browsing context has an iframe sandboxing flag set, which is a sandboxing flag set. Which flags in a nested browsing context's iframe sandboxing flag set are set at any particular time is determined by the iframe element's sandbox attribute.

Every Document has an active sandboxing flag set, which is a sandboxing flag set. When the Document is created, its active sandboxing flag set must be empty. It is populated by the navigation algorithm.

Every resource that is obtained by the navigation algorithm has a forced sandboxing flag set, which is a sandboxing flag set. A resource by default has no flags set in its forced sandboxing flag set, but other specifications can define that certain flags are set.

In particular, the forced sandboxing flag set is used by the Content Security Policy specification. [CSP]


When a user agent is to implement the sandboxing for a Document, it must populate Document's active sandboxing flag set with the union of the flags that are present in the following sandboxing flag sets at the time the Document object is created: