HTTP - Same Origin Request

About

A request is a same-origin request if:

• the request’s origin
• and the origin of request’s current url page

are the same.

Rules

Two HTTP requests have not the same origin if the URIs have:

• A different domain (for example, from example.com to datacadamia.com)
• A different subdomain (for example, from example.com to petstore.example.com)
• A different port (for example, from example.com to example.com:10777)
• A different protocol (for example, from https://example.com to http://example.com)

than the actual loaded page.

In other words, Two HTTP requests have not the same origin when the URIs have the:

• same scheme,
• same host and port components (ie endpoint)

Example

same origin

Example: All of the following resources have the same origin

• http://example.com/
• http://example.com:80/
• http://example.com/path/file
• https://example.com/page.html
• https://example.com/other-page.html

not the same origin

• https://example.com/page.html
• https://not.example.com/page.html

Management

Same Origin Policy

User agents (such as browser) commonly apply same-origin restrictions to network requests. See Same-Origin Policy.

Algorithm

Two origins are said to be the same origin if the algorithm returns true.