origin-0.html 44.7 KB

Raw Blame History Permalink

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-US-x-Hixie" ><head><title>5.3 Origin &#8212; HTML5 </title><style type="text/css">
   pre { margin-left: 2em; white-space: pre-wrap; }
   h2 { margin: 3em 0 1em 0; }
   h3 { margin: 2.5em 0 1em 0; }
   h4 { margin: 2.5em 0 0.75em 0; }
   h5, h6 { margin: 2.5em 0 1em; }
   h1 + h2, h1 + h2 + h2 { margin: 0.75em 0 0.75em; }
   h2 + h3, h3 + h4, h4 + h5, h5 + h6 { margin-top: 0.5em; }
   p { margin: 1em 0; }
   hr:not(.top) { display: block; background: none; border: none; padding: 0; margin: 2em 0; height: auto; }
   dl, dd { margin-top: 0; margin-bottom: 0; }
   dt { margin-top: 0.75em; margin-bottom: 0.25em; clear: left; }
   dt + dt { margin-top: 0; }
   dd dt { margin-top: 0.25em; margin-bottom: 0; }
   dd p { margin-top: 0; }
   dd dl + p { margin-top: 1em; }
   dd table + p { margin-top: 1em; }
   p + * > li, dd li { margin: 1em 0; }
   dt, dfn { font-weight: bold; font-style: normal; }
   dt dfn { font-style: italic; }
   pre, code { font-size: inherit; font-family: monospace; font-variant: normal; }
   pre strong { color: black; font: inherit; font-weight: bold; background: yellow; }
   pre em { font-weight: bolder; font-style: normal; }
   @media screen { code { color: orangered; } code :link, code :visited { color: inherit; } }
   var sub { vertical-align: bottom; font-size: smaller; position: relative; top: 0.1em; }
   table { border-collapse: collapse; border-style: hidden hidden none hidden; }
   table thead, table tbody { border-bottom: solid; }
   table tbody th:first-child { border-left: solid; }
   table tbody th { text-align: left; }
   table td, table th { border-left: solid; border-right: solid; border-bottom: solid thin; vertical-align: top; padding: 0.2em; }
   blockquote { margin: 0 0 0 2em; border: 0; padding: 0; font-style: italic; }

   .bad, .bad *:not(.XXX) { color: gray; border-color: gray; background: transparent; }
   .matrix, .matrix td { border: none; text-align: right; }
   .matrix { margin-left: 2em; }
   .dice-example { border-collapse: collapse; border-style: hidden solid solid hidden; border-width: thin; margin-left: 3em; }
   .dice-example caption { width: 30em; font-size: smaller; font-style: italic; padding: 0.75em 0; text-align: left; }
   .dice-example td, .dice-example th { border: solid thin; width: 1.35em; height: 1.05em; text-align: center; padding: 0; }

   .toc dfn, h1 dfn, h2 dfn, h3 dfn, h4 dfn, h5 dfn, h6 dfn { font: inherit; }
   img.extra { float: right; }
   pre.idl { border: solid thin; background: #EEEEEE; color: black; padding: 0.5em 1em; }
   pre.idl :link, pre.idl :visited { color: inherit; background: transparent; }
   pre.css { border: solid thin; background: #FFFFEE; color: black; padding: 0.5em 1em; }
   pre.css:first-line { color: #AAAA50; }
   dl.domintro { color: green; margin: 2em 0 2em 2em; padding: 0.5em 1em; border: none; background: #DDFFDD; }
   hr + dl.domintro, div.impl + dl.domintro { margin-top: 2.5em; margin-bottom: 1.5em; }
   dl.domintro dt, dl.domintro dt * { color: black; text-decoration: none; }
   dl.domintro dd { margin: 0.5em 0 1em 2em; padding: 0; }
   dl.domintro dd p { margin: 0.5em 0; }
   dl.switch { padding-left: 2em; }
   dl.switch > dt { text-indent: -1.5em; }
   dl.switch > dt:before { content: '\21AA'; padding: 0 0.5em 0 0; display: inline-block; width: 1em; text-align: right; line-height: 0.5em; }
   dl.triple { padding: 0 0 0 1em; }
   dl.triple dt, dl.triple dd { margin: 0; display: inline }
   dl.triple dt:after { content: ':'; }
   dl.triple dd:after { content: '\A'; white-space: pre; }
   .diff-old { text-decoration: line-through; color: silver; background: transparent; }
   .diff-chg, .diff-new { text-decoration: underline; color: green; background: transparent; }
   a .diff-new { border-bottom: 1px blue solid; }

   h2 { page-break-before: always; }
   h1, h2, h3, h4, h5, h6 { page-break-after: avoid; }
   h1 + h2, hr + h2.no-toc { page-break-before: auto; }

   p  > span:not([title=""]):not([class="XXX"]):not([class="impl"]):not([class="note"]),
   li > span:not([title=""]):not([class="XXX"]):not([class="impl"]):not([class="note"]), { border-bottom: solid #9999CC; }

   div.head { margin: 0 0 1em; padding: 1em 0 0 0; }
   div.head p { margin: 0; }
   div.head h1 { margin: 0; }
   div.head .logo { float: right; margin: 0 1em; }
   div.head .logo img { border: none } /* remove border from top image */
   div.head dl { margin: 1em 0; }
   div.head p.copyright, div.head p.alt { font-size: x-small; font-style: oblique; margin: 0; }

   body > .toc > li { margin-top: 1em; margin-bottom: 1em; }
   body > .toc.brief > li { margin-top: 0.35em; margin-bottom: 0.35em; }
   body > .toc > li > * { margin-bottom: 0.5em; }
   body > .toc > li > * > li > * { margin-bottom: 0.25em; }
   .toc, .toc li { list-style: none; }

   .brief { margin-top: 1em; margin-bottom: 1em; line-height: 1.1; }
   .brief li { margin: 0; padding: 0; }
   .brief li p { margin: 0; padding: 0; }

   .category-list { margin-top: -0.75em; margin-bottom: 1em; line-height: 1.5; }
   .category-list::before { content: '\21D2\A0'; font-size: 1.2em; font-weight: 900; }
   .category-list li { display: inline; }
   .category-list li:not(:last-child)::after { content: ', '; }
   .category-list li > span, .category-list li > a { text-transform: lowercase; }
   .category-list li * { text-transform: none; } /* don't affect <code> nested in <a> */

   .XXX { color: #E50000; background: white; border: solid red; padding: 0.5em; margin: 1em 0; }
   .XXX > :first-child { margin-top: 0; }
   p .XXX { line-height: 3em; }
   .annotation { border: solid thin black; background: #0C479D; color: white; position: relative; margin: 8px 0 20px 0; }
   .annotation:before { position: absolute; left: 0; top: 0; width: 100%; height: 100%; margin: 6px -6px -6px 6px; background: #333333; z-index: -1; content: ''; }
   .annotation :link, .annotation :visited { color: inherit; }
   .annotation :link:hover, .annotation :visited:hover { background: transparent; }
   .annotation span { border: none ! important; }
   .note { color: green; background: transparent; font-family: sans-serif; }
   .warning { color: red; background: transparent; }
   .note, .warning { font-weight: bolder; font-style: italic; }
   p.note, div.note { padding: 0.5em 2em; }
   span.note { padding: 0 2em; }
   .note p:first-child, .warning p:first-child { margin-top: 0; }
   .note p:last-child, .warning p:last-child { margin-bottom: 0; }
   .warning:before { font-style: normal; }
   p.note:before { content: 'Note: '; }
   p.warning:before { content: '\26A0 Warning! '; }

   .bookkeeping:before { display: block; content: 'Bookkeeping details'; font-weight: bolder; font-style: italic; }
   .bookkeeping { font-size: 0.8em; margin: 2em 0; }
   .bookkeeping p { margin: 0.5em 2em; display: list-item; list-style: square; }
   .bookkeeping dt { margin: 0.5em 2em 0; }
   .bookkeeping dd { margin: 0 3em 0.5em; }

   h4 { position: relative; z-index: 3; }
   h4 + .element, h4 + div + .element { margin-top: -2.5em; padding-top: 2em; }
   .element {
     background: #EEEEFF;
     color: black;
     margin: 0 0 1em 0.15em;
     padding: 0 1em 0.25em 0.75em;
     border-left: solid #9999FF 0.25em;
     position: relative;
     z-index: 1;
   }
   .element:before {
     position: absolute;
     z-index: 2;
     top: 0;
     left: -1.15em;
     height: 2em;
     width: 0.9em;
     background: #EEEEFF;
     content: ' ';
     border-style: none none solid solid;
     border-color: #9999FF;
     border-width: 0.25em;
   }

   .example { display: block; color: #222222; background: #FCFCFC; border-left: double; margin-left: 2em; padding-left: 1em; }
   td > .example:only-child { margin: 0 0 0 0.1em; }

   ul.domTree, ul.domTree ul { padding: 0 0 0 1em; margin: 0; }
   ul.domTree li { padding: 0; margin: 0; list-style: none; position: relative; }
   ul.domTree li li { list-style: none; }
   ul.domTree li:first-child::before { position: absolute; top: 0; height: 0.6em; left: -0.75em; width: 0.5em; border-style: none none solid solid; content: ''; border-width: 0.1em; }
   ul.domTree li:not(:last-child)::after { position: absolute; top: 0; bottom: -0.6em; left: -0.75em; width: 0.5em; border-style: none none solid solid; content: ''; border-width: 0.1em; }
   ul.domTree span { font-style: italic; font-family: serif; }
   ul.domTree .t1 code { color: purple; font-weight: bold; }
   ul.domTree .t2 { font-style: normal; font-family: monospace; }
   ul.domTree .t2 .name { color: black; font-weight: bold; }
   ul.domTree .t2 .value { color: blue; font-weight: normal; }
   ul.domTree .t3 code, .domTree .t4 code, .domTree .t5 code { color: gray; }
   ul.domTree .t7 code, .domTree .t8 code { color: green; }
   ul.domTree .t10 code { color: teal; }

   body.dfnEnabled dfn { cursor: pointer; }
   .dfnPanel {
     display: inline;
     position: absolute;
     z-index: 10;
     height: auto;
     width: auto;
     padding: 0.5em 0.75em;
     font: small sans-serif, Droid Sans Fallback;
     background: #DDDDDD;
     color: black;
     border: outset 0.2em;
   }
   .dfnPanel * { margin: 0; padding: 0; font: inherit; text-indent: 0; }
   .dfnPanel :link, .dfnPanel :visited { color: black; }
   .dfnPanel p { font-weight: bolder; }
   .dfnPanel * + p { margin-top: 0.25em; }
   .dfnPanel li { list-style-position: inside; }

   #configUI { position: absolute; z-index: 20; top: 10em; right: 1em; width: 11em; font-size: small; }
   #configUI p { margin: 0.5em 0; padding: 0.3em; background: #EEEEEE; color: black; border: inset thin; }
   #configUI p label { display: block; }
   #configUI #updateUI, #configUI .loginUI { text-align: center; }
   #configUI input[type=button] { display: block; margin: auto; }

   fieldset { margin: 1em; padding: 0.5em 1em; }
   fieldset > legend + * { margin-top: 0; }
   fieldset > :last-child { margin-bottom: 0; }
   fieldset p { margin: 0.5em 0; }

   .stability {
     position: fixed;
     bottom: 0;
     left: 0; right: 0;
     margin: 0 auto 0 auto !important;
    z-index: 1000;
     width: 50%;
     background: maroon; color: yellow;
     -webkit-border-radius: 1em 1em 0 0;
     -moz-border-radius: 1em 1em 0 0;
     border-radius: 1em 1em 0 0;
     -moz-box-shadow: 0 0 1em #500;
     -webkit-box-shadow: 0 0 1em #500;
     box-shadow: 0 0 1em red;
     padding: 0.5em 1em;
     text-align: center;
   }
   .stability strong {
     display: block;
   }
   .stability input {
     appearance: none; margin: 0; border: 0; padding: 0.25em 0.5em; background: transparent; color: black;
     position: absolute; top: -0.5em; right: 0; font: 1.25em sans-serif; text-align: center;
   }
   .stability input:hover {
     color: white;
     text-shadow: 0 0 2px black;
   }
   .stability input:active {
     padding: 0.3em 0.45em 0.2em 0.55em;
   }
   .stability :link, .stability :visited,
   .stability :link:hover, .stability :visited:hover {
     background: transparent;
     color: white;
   }

  </style><link href="data:text/css,.impl%20%7B%20display:%20none;%20%7D%0Ahtml%20%7B%20border:%20solid%20yellow;%20%7D%20.domintro:before%20%7B%20display:%20none;%20%7D" id="author" rel="alternate stylesheet" title="Author documentation only"><link href="data:text/css,.impl%20%7B%20background:%20%23FFEEEE;%20%7D%20.domintro:before%20%7B%20background:%20%23FFEEEE;%20%7D" id="highlight" rel="alternate stylesheet" title="Highlight implementation
requirements"><link href="http://www.w3.org/StyleSheets/TR/W3C-WD" rel="stylesheet" type="text/css"><style type="text/css">

   .applies thead th > * { display: block; }
   .applies thead code { display: block; }
   .applies tbody th { whitespace: nowrap; }
   .applies td { text-align: center; }
   .applies .yes { background: yellow; }

   .matrix, .matrix td { border: hidden; text-align: right; }
   .matrix { margin-left: 2em; }

   .dice-example { border-collapse: collapse; border-style: hidden solid solid hidden; border-width: thin; margin-left: 3em; }
   .dice-example caption { width: 30em; font-size: smaller; font-style: italic; padding: 0.75em 0; text-align: left; }
   .dice-example td, .dice-example th { border: solid thin; width: 1.35em; height: 1.05em; text-align: center; padding: 0; }

   td.eg { border-width: thin; text-align: center; }

   #table-example-1 { border: solid thin; border-collapse: collapse; margin-left: 3em; }
   #table-example-1 * { font-family: "Essays1743", serif; line-height: 1.01em; }
   #table-example-1 caption { padding-bottom: 0.5em; }
   #table-example-1 thead, #table-example-1 tbody { border: none; }
   #table-example-1 th, #table-example-1 td { border: solid thin; }
   #table-example-1 th { font-weight: normal; }
   #table-example-1 td { border-style: none solid; vertical-align: top; }
   #table-example-1 th { padding: 0.5em; vertical-align: middle; text-align: center; }
   #table-example-1 tbody tr:first-child td { padding-top: 0.5em; }
   #table-example-1 tbody tr:last-child td { padding-bottom: 1.5em; }
   #table-example-1 tbody td:first-child { padding-left: 2.5em; padding-right: 0; width: 9em; }
   #table-example-1 tbody td:first-child::after { content: leader(". "); }
   #table-example-1 tbody td { padding-left: 2em; padding-right: 2em; }
   #table-example-1 tbody td:first-child + td { width: 10em; }
   #table-example-1 tbody td:first-child + td ~ td { width: 2.5em; }
   #table-example-1 tbody td:first-child + td + td + td ~ td { width: 1.25em; }

   .apple-table-examples { border: none; border-collapse: separate; border-spacing: 1.5em 0em; width: 40em; margin-left: 3em; }
   .apple-table-examples * { font-family: "Times", serif; }
   .apple-table-examples td, .apple-table-examples th { border: none; white-space: nowrap; padding-top: 0; padding-bottom: 0; }
   .apple-table-examples tbody th:first-child { border-left: none; width: 100%; }
   .apple-table-examples thead th:first-child ~ th { font-size: smaller; font-weight: bolder; border-bottom: solid 2px; text-align: center; }
   .apple-table-examples tbody th::after, .apple-table-examples tfoot th::after { content: leader(". ") }
   .apple-table-examples tbody th, .apple-table-examples tfoot th { font: inherit; text-align: left; }
   .apple-table-examples td { text-align: right; vertical-align: top; }
   .apple-table-examples.e1 tbody tr:last-child td { border-bottom: solid 1px; }
   .apple-table-examples.e1 tbody + tbody tr:last-child td { border-bottom: double 3px; }
   .apple-table-examples.e2 th[scope=row] { padding-left: 1em; }
   .apple-table-examples sup { line-height: 0; }

   .details-example img { vertical-align: top; }

   #base64-table {
     white-space: nowrap;
     font-size: 0.6em;
     column-width: 6em;
     column-count: 5;
     column-gap: 1em;
     -moz-column-width: 6em;
     -moz-column-count: 5;
     -moz-column-gap: 1em;
     -webkit-column-width: 6em;
     -webkit-column-count: 5;
     -webkit-column-gap: 1em;
   }
   #base64-table thead { display: none; }
   #base64-table * { border: none; }
   #base64-table tbody td:first-child:after { content: ':'; }
   #base64-table tbody td:last-child { text-align: right; }

   #named-character-references-table {
     white-space: nowrap;
     font-size: 0.6em;
     column-width: 30em;
     column-gap: 1em;
     -moz-column-width: 30em;
     -moz-column-gap: 1em;
     -webkit-column-width: 30em;
     -webkit-column-gap: 1em;
   }
   #named-character-references-table > table > tbody > tr > td:first-child + td,
   #named-character-references-table > table > tbody > tr > td:last-child { text-align: center; }
   #named-character-references-table > table > tbody > tr > td:last-child:hover > span { position: absolute; top: auto; left: auto; margin-left: 0.5em; line-height: 1.2; font-size: 5em; border: outset; padding: 0.25em 0.5em; background: white; width: 1.25em; height: auto; text-align: center; }
   #named-character-references-table > table > tbody > tr#entity-CounterClockwiseContourIntegral > td:first-child { font-size: 0.5em; }

   .glyph.control { color: red; }

   @font-face {
     font-family: 'Essays1743';
     src: url('http://www.whatwg.org/specs/web-apps/current-work/fonts/Essays1743.ttf');
   }
   @font-face {
     font-family: 'Essays1743';
     font-weight: bold;
     src: url('http://www.whatwg.org/specs/web-apps/current-work/fonts/Essays1743-Bold.ttf');
   }
   @font-face {
     font-family: 'Essays1743';
     font-style: italic;
     src: url('http://www.whatwg.org/specs/web-apps/current-work/fonts/Essays1743-Italic.ttf');
   }
   @font-face {
     font-family: 'Essays1743';
     font-style: italic;
     font-weight: bold;
     src: url('http://www.whatwg.org/specs/web-apps/current-work/fonts/Essays1743-BoldItalic.ttf');
   }

  </style><style type="text/css">
   .domintro:before { display: table; margin: -1em -0.5em -0.5em auto; width: auto; content: 'This box is non-normative. Implementation requirements are given below this box.'; color: black; font-style: italic; border: solid 2px; background: white; padding: 0 0.25em; }
  </style><script type="text/javascript">
   function getCookie(name) {
     var params = location.search.substr(1).split("&");
     for (var index = 0; index < params.length; index++) {
       if (params[index] == name)
         return "1";
       var data = params[index].split("=");
       if (data[0] == name)
         return unescape(data[1]);
     }
     var cookies = document.cookie.split("; ");
     for (var index = 0; index < cookies.length; index++) {
       var data = cookies[index].split("=");
       if (data[0] == name)
         return unescape(data[1]);
     }
     return null;
   }
  </script>
  <script src="link-fixup.js" type="text/javascript"></script>
  <link href="style.css" rel="stylesheet"><link href="browsers.html" title="5 Loading Web pages" rel="prev">
  <link href="spec.html#contents" title="Table of contents" rel="index">
  <link href="history.html" title="5.4 Session history and navigation" rel="next">
  </head><body><div class="head" id="head">
<div id="multipage-common">
  <p class="stability" id="wip"><strong>This is a work in
  progress!</strong> For the latest updates from the HTML WG, possibly
  including important bug fixes, please look at the <a href="http://dev.w3.org/html5/spec/Overview.html">editor's draft</a> instead.
  There may also be a more
  <a href="http://www.w3.org/TR/html5">up-to-date Working Draft</a>
   with changes based on resolution of Last Call issues.
  <input onclick="closeWarning(this.parentNode)" type="button" value="&#9587;&#8413;"></p>
  <script type="text/javascript">
   function closeWarning(element) {
     element.parentNode.removeChild(element);
     var date = new Date();
     date.setDate(date.getDate()+4);
     document.cookie = 'hide-obsolescence-warning=1; expires=' + date.toGMTString();
   }
   if (getCookie('hide-obsolescence-warning') == '1')
     setTimeout(function () { document.getElementById('wip').parentNode.removeChild(document.getElementById('wip')); }, 2000);
  </script></div>

   <p><a href="http://www.w3.org/"><img alt="W3C" height="48" src="http://www.w3.org/Icons/w3c_home" width="72"></a></p>

   <h1>HTML5</h1>
   </div><div>
   <a href="browsers.html" class="prev">5 Loading Web pages</a> &#8211;
   <a href="spec.html#contents">Table of contents</a> &#8211;
   <a href="history.html" class="next">5.4 Session history and navigation</a>
  <ol class="toc"><li><ol><li><a href="origin-0.html#origin-0"><span class="secno">5.3 </span>Origin</a>
    <ol><li><a href="origin-0.html#relaxing-the-same-origin-restriction"><span class="secno">5.3.1 </span>Relaxing the same-origin restriction</a></li></ol></li></ol></li></ol></div>

  <h3 id="origin-0"><span class="secno">5.3 </span>Origin</h3><p>The <dfn id="origin">origin</dfn> of a resource and the <dfn id="effective-script-origin">effective script
  origin</dfn> of a resource are both either opaque identifiers or
  tuples consisting of a scheme component, a host component, a port
  component, and optionally extra data.</p><p class="note">The extra data could include the certificate of the
  site when using encrypted connections, to ensure that if the site's
  secure certificate changes, the origin is considered to change as
  well.</p><div class="impl">

  <p>These characteristics are defined as follows:</p>

  <dl><dt>For URLs</dt>

   <dd>

    <p>The <a href="#origin">origin</a> and <a href="#effective-script-origin">effective script
    origin</a> of the <a href="urls.html#url">URL</a> is whatever is returned by
    the following algorithm:</p>

    <ol><li><p>Let <var title="">url</var> be the <a href="urls.html#url">URL</a> for
     which the <a href="#origin">origin</a> is being determined.</p></li>

     <li><p><a href="urls.html#parse-a-url" title="parse a url">Parse</a> <var title="">url</var>.</p></li>

     <li><p>If <var title="">url</var> identifies a resource that is
     its own trust domain (e.g. it identifies an e-mail on an IMAP
     server or a post on an NNTP server) then return a globally unique
     identifier specific to the resource identified by <var title="">url</var>, so that if this algorithm is invoked again
     for <a href="urls.html#url" title="URL">URLs</a> that identify the same resource,
     the same identifier will be returned.</p></li>

     <li><p>If <var title="">url</var> does not use a server-based
     naming authority, or if parsing <var title="">url</var> failed,
     or if <var title="">url</var> is not an <a href="urls.html#absolute-url">absolute
     URL</a>, then return a new globally unique
     identifier.</p></li>

     <li><p>Let <var title="">scheme</var> be the <a href="urls.html#url-scheme" title="url-scheme">&lt;scheme&gt;</a> component of <var title="">url</var>, <a href="infrastructure.html#converted-to-ascii-lowercase">converted to ASCII lowercase</a>.</p></li>

     <li><p>If the UA doesn't support the protocol given by <var title="">scheme</var>, then return a new globally unique
     identifier.</p></li>

     <li><p>If <var title="">scheme</var> is "<code title="">file</code>", then the user agent may return a
     UA-specific value.</p></li>

     <li><p>Let <var title="">host</var> be the <a href="urls.html#url-host" title="url-host">&lt;host&gt;</a> component of <var title="">url</var>.</p></li>

     <li>

      <p>Apply the IDNA ToASCII algorithm to <var title="">host</var>,
      with both the AllowUnassigned and UseSTD3ASCIIRules flags
      set. Let <var title="">host</var> be the result of the ToASCII
      algorithm.</p>

      <p>If ToASCII fails to convert one of the components of the
      string, e.g. because it is too long or because it contains
      invalid characters, then return a new globally unique
      identifier. <a href="references.html#refsRFC3490">[RFC3490]</a></p>

     </li>

     <li><p>Let <var title="">host</var> be the result of converting
     <var title="">host</var> <a href="infrastructure.html#converted-to-ascii-lowercase" title="converted to ASCII lowercase">to
     ASCII lowercase</a>.</p></li>

     <li><p>If there is no <a href="urls.html#url-port" title="url-port">&lt;port&gt;</a>
     component, then let <var title="">port</var> be the default port
     for the protocol given by <var title="">scheme</var>. Otherwise,
     let <var title="">port</var> be the <a href="urls.html#url-port" title="url-port">&lt;port&gt;</a> component of <var title="">url</var>.</p></li>

     <li><p>Return the tuple (<var title="">scheme</var>, <var title="">host</var>, <var title="">port</var>).</p></li>

    </ol><p>In addition, if the <a href="urls.html#url">URL</a> is in fact associated with
    a <code><a href="infrastructure.html#document">Document</a></code> object that was created by parsing the
    resource obtained from fetching <a href="urls.html#url">URL</a>, and this was
    done over a secure connection, then the server's secure
    certificate may be added to the origin as additional data.</p>

   </dd>


   <dt>For scripts</dt>

   <dd>

    <p>The <a href="#origin">origin</a> and <a href="#effective-script-origin">effective script
    origin</a> of a script are determined from another resource,
    called the <i>owner</i>:</p>

    <dl class="switch"><dt>If a script is in a <code><a href="scripting-1.html#the-script-element">script</a></code> element</dt>

     <dd>The owner is the <code><a href="infrastructure.html#document">Document</a></code> to which the
     <code><a href="scripting-1.html#the-script-element">script</a></code> element belongs.</dd>


     <dt>If a script is in an <a href="webappapis.html#event-handler-content-attributes" title="event handler content
     attributes">event handler content attribute</a></dt>

     <dd>The owner is the <code><a href="infrastructure.html#document">Document</a></code> to which the
     attribute node belongs.</dd>


     <dt>If a script is a function or other code reference created by
     another script</dt>

     <dd>The owner is the script that created it.</dd>


     <dt>If a script is a <a href="webappapis.html#javascript-protocol" title="javascript protocol"><code title="">javascript:</code> URL</a> that was returned as the
     location of an HTTP redirect (<a href="fetching-resources.html#concept-http-equivalent-codes" title="concept-http-equivalent-codes">or equivalent</a> in
     other protocols)</dt>

     <dd>The owner is the <a href="urls.html#url">URL</a> that redirected to the
     <a href="webappapis.html#javascript-protocol" title="javascript protocol"><code title="">javascript:</code> URL</a>.</dd>


     <dt>If a script is a <a href="webappapis.html#javascript-protocol" title="javascript protocol"><code title="">javascript:</code> URL</a> in an attribute</dt>

     <dd>The owner is the <code><a href="infrastructure.html#document">Document</a></code> of the element on
     which the attribute is found.</dd>


     <dt>If a script is a <a href="webappapis.html#javascript-protocol" title="javascript protocol"><code title="">javascript:</code> URL</a> in a style sheet</dt>

     <dd>The owner is the <a href="urls.html#url">URL</a> of the style sheet.</dd>


     <dt>If a script is a <a href="webappapis.html#javascript-protocol" title="javascript protocol"><code title="">javascript:</code> URL</a> to which a <a href="browsers.html#browsing-context">browsing
     context</a> is being <a href="history.html#navigate" title="navigate">navigated</a>,
     the URL having been provided by the user (e.g. by using a
     <i>bookmarklet</i>)</dt>

     <dd>The owner is the <code><a href="infrastructure.html#document">Document</a></code> of the <a href="browsers.html#browsing-context">browsing
     context</a>'s <a href="browsers.html#active-document">active document</a>.</dd>


     <dt>If a script is a <a href="webappapis.html#javascript-protocol" title="javascript protocol"><code title="">javascript:</code> URL</a> to which a <a href="browsers.html#browsing-context">browsing
     context</a> is being <a href="history.html#navigate" title="navigate">navigated</a>,
     the URL having been declared in markup</dt>

     <dd>The owner is the <code><a href="infrastructure.html#document">Document</a></code> of the element
     (e.g. an <code><a href="text-level-semantics.html#the-a-element">a</a></code> or <code><a href="the-map-element.html#the-area-element">area</a></code> element) that
     declared the URL.</dd>


     <dt>If a script is a <a href="webappapis.html#javascript-protocol" title="javascript protocol"><code title="">javascript:</code> URL</a> to which a <a href="browsers.html#browsing-context">browsing
     context</a> is being <a href="history.html#navigate" title="navigate">navigated</a>,
     the URL having been provided by script</dt>

     <dd>The owner is the script that provided the URL.</dd>

    </dl><p>The <a href="#origin">origin</a> of the script is then equal to the
    <a href="#origin">origin</a> of the owner, and the <a href="#effective-script-origin">effective script
    origin</a> of the script is equal to the <a href="#effective-script-origin">effective script
    origin</a> of the owner.</p>

   </dd>


   <dt>For <code><a href="infrastructure.html#document">Document</a></code> objects and images</dt>

   <dd>

    <dl class="switch"><dt id="sandboxOrigin">If a <code><a href="infrastructure.html#document">Document</a></code> is in a
     <a href="browsers.html#browsing-context">browsing context</a> whose <a href="the-iframe-element.html#sandboxed-origin-browsing-context-flag">sandboxed origin
     browsing context flag</a> was set when the
     <code><a href="infrastructure.html#document">Document</a></code> was created</dt>

     <dt>If a <code><a href="infrastructure.html#document">Document</a></code> was generated from a resource
     labeled as <code><a href="iana.html#text-html-sandboxed">text/html-sandboxed</a></code></dt>

     <dd>The <a href="#origin">origin</a> is a globally unique identifier
     assigned when the <code><a href="infrastructure.html#document">Document</a></code> is created.</dd>


     <dt>If a <code><a href="infrastructure.html#document">Document</a></code> or image was generated from a
     <a href="webappapis.html#javascript-protocol" title="javascript protocol"><code>javascript:</code>
     URL</a></dt>

     <dd>The <a href="#origin">origin</a> is equal to the <a href="#origin">origin</a>
     of the script of that <a href="webappapis.html#javascript-protocol" title="javascript
     protocol"><code>javascript:</code> URL</a>.</dd>


     <dt>If a <code><a href="infrastructure.html#document">Document</a></code> or image was served over the
     network and has an address that uses a URL scheme with a
     server-based naming authority</dt>

     <dd>The <a href="#origin">origin</a> is the <a href="#origin">origin</a> of the
     <a href="dom.html#the-document-s-address" title="the document's address">address</a> of the
     <code><a href="infrastructure.html#document">Document</a></code> or the <a href="urls.html#url">URL</a> of the image, as
     appropriate.</dd>


     <dt>If a <code><a href="infrastructure.html#document">Document</a></code> or image was generated from a
     <a href="infrastructure.html#data-protocol" title="data protocol"><code title="">data:</code>
     URL</a> that was returned as the location of an HTTP redirect
     (<a href="fetching-resources.html#concept-http-equivalent-codes" title="concept-http-equivalent-codes">or equivalent</a>
     in other protocols)</dt>

     <dd>The <a href="#origin">origin</a> is the <a href="#origin">origin</a> of the
     <a href="urls.html#url">URL</a> that redirected to the <a href="infrastructure.html#data-protocol" title="data
     protocol"><code title="">data:</code> URL</a>.</dd>


     <dt>If a <code><a href="infrastructure.html#document">Document</a></code> or image was generated from a
     <a href="infrastructure.html#data-protocol" title="data protocol"><code title="">data:</code>
     URL</a> found in another <code><a href="infrastructure.html#document">Document</a></code> or in a
     script</dt>

     <dd>The <a href="#origin">origin</a> is the <a href="#origin">origin</a> of the
     <code><a href="infrastructure.html#document">Document</a></code> or script that initiated the <a href="history.html#navigate" title="navigate">navigation</a> to that <a href="urls.html#url">URL</a>.</dd>


     <dt>If a <code><a href="infrastructure.html#document">Document</a></code> has the <a href="dom.html#the-document-s-address" title="the
     document's address">address</a>
     "<code><a href="fetching-resources.html#about:blank">about:blank</a></code>"</dt>

     <dd>The <a href="#origin">origin</a> of the <code><a href="infrastructure.html#document">Document</a></code> is <a href="browsers.html#about-blank-origin">the <span>origin</span> it was
     assigned when its browsing context was created</a>.</dd>


     <dt>If a <code><a href="infrastructure.html#document">Document</a></code> is <a href="the-iframe-element.html#an-iframe-srcdoc-document">an <code>iframe</code> <code title="attr-iframe-srcdoc">srcdoc</code> document</a></dt>

     <dd>The <a href="#origin">origin</a> of the <code><a href="infrastructure.html#document">Document</a></code> is the
     <a href="#origin">origin</a> of the <code><a href="infrastructure.html#document">Document</a></code>'s <a href="browsers.html#browsing-context">browsing
     context</a>'s <a href="browsers.html#browsing-context-container">browsing context container</a>'s
     <code><a href="infrastructure.html#document">Document</a></code>.</dd>


     <dt>If a <code><a href="infrastructure.html#document">Document</a></code> or image was obtained in some
     other manner (e.g. a <a href="infrastructure.html#data-protocol" title="data protocol"><code title="">data:</code> URL</a> typed in by the user, a
     <code><a href="infrastructure.html#document">Document</a></code> created using the <code title="dom-DOMImplementation-createDocument"><a href="infrastructure.html#dom-domimplementation-createdocument">createDocument()</a></code>
     API, etc)</dt>

     <dd>The <a href="#origin">origin</a> is a globally unique identifier
     assigned when the <code><a href="infrastructure.html#document">Document</a></code> or image is created.</dd>

    </dl><p>When a <code><a href="infrastructure.html#document">Document</a></code> is created, its <a href="#effective-script-origin">effective
    script origin</a> is initialized to the <a href="#origin">origin</a> of
    the <code><a href="infrastructure.html#document">Document</a></code>. However, the <code title="dom-document-domain"><a href="#dom-document-domain">document.domain</a></code> attribute can
    be used to change it.</p>

   </dd>


   <dt>For <code><a href="the-iframe-element.html#the-audio-element">audio</a></code> and <code><a href="the-iframe-element.html#the-video-element">video</a></code> elements</dt>

   <dd>

    <p>If value of the <a href="the-iframe-element.html#media-element">media element</a>'s <code title="dom-media-currentSrc"><a href="the-iframe-element.html#dom-media-currentsrc">currentSrc</a></code> attribute is the
    empty string, the <a href="#origin">origin</a> is the same as the
    <a href="#origin">origin</a> of the element's <code><a href="infrastructure.html#document">Document</a></code>'s
    <a href="#origin">origin</a>.</p>

    <p>Otherwise, the <a href="#origin">origin</a> is equal to the
    <a href="#origin">origin</a> of the <a href="urls.html#absolute-url">absolute URL</a> given by the
    <a href="the-iframe-element.html#media-element">media element</a>'s <code title="dom-media-currentSrc"><a href="the-iframe-element.html#dom-media-currentsrc">currentSrc</a></code> attribute.</p>

   </dd>


   <dt>For fonts</dt>

   <dd>

    <p>The <a href="#origin">origin</a> of a downloadable Web font is equal to
    the <a href="#origin">origin</a> of the <a href="urls.html#absolute-url">absolute URL</a> used to
    obtain the font (after any redirects). <a href="references.html#refsCSSFONTS">[CSSFONTS]</a></p>

    <p>The <a href="#origin">origin</a> of a locally installed system font is
    equal to the <a href="#origin">origin</a> of the <code><a href="infrastructure.html#document">Document</a></code> in
    which that font is being used.</p>

   </dd>

  </dl><p>Other specifications can override the above definitions by
  themselves specifying the origin of a particular URL, script,
  <code><a href="infrastructure.html#document">Document</a></code>, or image.</p>


  <hr><p>The <dfn id="unicode-serialization-of-an-origin">Unicode serialization of an origin</dfn> is the string
  obtained by applying the following algorithm to the given
  <a href="#origin">origin</a>:</p>

  <ol><li><p>If the <a href="#origin">origin</a> in question is not a
   scheme/host/port tuple, then return the literal string "<code title="">null</code>" and abort these steps.</p></li>

   <li><p>Otherwise, let <var title="">result</var> be the scheme part
   of the <a href="#origin">origin</a> tuple.</p></li>

   <li><p>Append the string "<code title="">://</code>" to <var title="">result</var>.</p></li>

   <li><p>Apply the IDNA ToUnicode algorithm to each component of the
   host part of the <a href="#origin">origin</a> tuple, and append the results
   &#8212; each component, in the same order, separated by U+002E FULL
   STOP characters (.) &#8212; to <var title="">result</var>. <a href="references.html#refsRFC3490">[RFC3490]</a></p></li>

   <li><p>If the port part of the <a href="#origin">origin</a> tuple gives a port
   that is different from the default port for the protocol given by
   the scheme part of the <a href="#origin">origin</a> tuple, then append a
   U+003A COLON character (:) and the given port, in base ten, to
   <var title="">result</var>.</p></li>

   <li><p>Return <var title="">result</var>.</p></li>

  </ol><p>The <dfn id="ascii-serialization-of-an-origin">ASCII serialization of an origin</dfn> is the string
  obtained by applying the following algorithm to the given
  <a href="#origin">origin</a>:</p>

  <ol><li><p>If the <a href="#origin">origin</a> in question is not a
   scheme/host/port tuple, then return the literal string "<code title="">null</code>" and abort these steps.</p></li>

   <li><p>Otherwise, let <var title="">result</var> be the scheme part
   of the <a href="#origin">origin</a> tuple.</p></li>

   <li><p>Append the string "<code title="">://</code>" to <var title="">result</var>.</p></li>

   <li>

    <p>Apply the IDNA ToASCII algorithm the host part of the
    <a href="#origin">origin</a> tuple, with both the AllowUnassigned and
    UseSTD3ASCIIRules flags set, and append the results <var title="">result</var>.</p>

    <p>If ToASCII fails to convert one of the components of the
    string, e.g. because it is too long or because it contains invalid
    characters, then return the empty string and abort these steps. <a href="references.html#refsRFC3490">[RFC3490]</a></p>

   </li>

   <li><p>If the port part of the <a href="#origin">origin</a> tuple gives a port
   that is different from the default port for the protocol given by
   the scheme part of the <a href="#origin">origin</a> tuple, then append a
   U+003A COLON character (:) and the given port, in base ten, to
   <var title="">result</var>.</p></li>

   <li><p>Return <var title="">result</var>.</p></li>

  </ol><p>Two <a href="#origin" title="origin">origins</a> are said to be the
  <dfn id="same-origin">same origin</dfn> if the following algorithm returns true:</p>

  <ol><li><p>Let <var title="">A</var> be the first <a href="#origin">origin</a>
   being compared, and <var title="">B</var> be the second
   <a href="#origin">origin</a> being compared.</p></li>

   <li><p>If <var title="">A</var> and <var title="">B</var> are both
   opaque identifiers, and their value is equal, then return
   true.</p></li>

   <li><p>Otherwise, if either <var title="">A</var> or <var title="">B</var> or both are opaque identifiers, return
   false.</p></li>

   <li><p>If <var title="">A</var> and <var title="">B</var> have
   scheme components that are not identical, return false.</p></li>

   <li><p>If <var title="">A</var> and <var title="">B</var> have host
   components that are not identical, return false.</p></li>

   <li><p>If <var title="">A</var> and <var title="">B</var> have port
   components that are not identical, return false.</p></li>

   <li><p>If either <var title="">A</var> or <var title="">B</var>
   have additional data, but that data is not identical for both,
   return false.</p></li>

   <li><p>Return true.</p></li>

  </ol></div><h4 id="relaxing-the-same-origin-restriction"><span class="secno">5.3.1 </span>Relaxing the same-origin restriction</h4><dl class="domintro"><dt><var title="">document</var> . <code title="dom-document-domain"><a href="#dom-document-domain">domain</a></code> [ = <var title="">domain</var> ]</dt>

   <dd>

    <p>Returns the current domain used for security checks.</p>

    <p>Can be set to a value that removes subdomains, to change the
    <a href="#effective-script-origin">effective script origin</a> to allow pages on other
    subdomains of the same domain (if they do the same thing) to
    access each other.</p>

   </dd>

  </dl><div class="impl">

  <p>The <dfn id="dom-document-domain" title="dom-document-domain"><code>domain</code></dfn>
  attribute on <code><a href="infrastructure.html#document">Document</a></code> objects must be initialized to
  <a href="#the-document-s-domain">the document's domain</a>, if it has one, and the empty
  string otherwise. If the value is an IPv6 address, then the square
  brackets from the host portion of the <a href="urls.html#url-host" title="url-host">&lt;host&gt;</a> component must be omitted from
  the attribute's value.</p>

  <p>On getting, the attribute must return its current value, unless
  the <code><a href="infrastructure.html#document">Document</a></code> has no <a href="browsers.html#browsing-context">browsing context</a>, in
  which case it must return the empty string.</p>

  <p>On setting, the user agent must run the following algorithm:</p>

  <ol><li>

    <p>If the <code><a href="infrastructure.html#document">Document</a></code> has no <a href="browsers.html#browsing-context">browsing
    context</a>, throw a <code><a href="common-dom-interfaces.html#security_err">SECURITY_ERR</a></code> exception and
    abort these steps.</p>

   </li>

   <li>

    <p>If the new value is an IP address, let <var title="">new
    value</var> be the new value. Otherwise, apply the IDNA ToASCII
    algorithm to the new value, with both the AllowUnassigned and
    UseSTD3ASCIIRules flags set, and let <var title="">new value</var>
    be the result of the ToASCII algorithm.</p>

    <p>If ToASCII fails to convert one of the components of the
    string, e.g. because it is too long or because it contains invalid
    characters, then throw a <code><a href="common-dom-interfaces.html#security_err">SECURITY_ERR</a></code> exception and abort
    these steps. <a href="references.html#refsRFC3490">[RFC3490]</a></p>

   </li>

   <li>

    <p>If <var title="">new value</var> is not exactly equal to the
    current value of the <code title="dom-document-domain"><a href="#dom-document-domain">document.domain</a></code> attribute, then
    run these substeps:</p>

    <ol><li>

      <p>If the current value is an IP address, throw a
      <code><a href="common-dom-interfaces.html#security_err">SECURITY_ERR</a></code> exception and abort these steps.</p>

     </li>

     <li>

      <p>If <var title="">new value</var>, prefixed by a U+002E FULL
      STOP (.), does not exactly match the end of the current value,
      throw a <code><a href="common-dom-interfaces.html#security_err">SECURITY_ERR</a></code> exception and abort these
      steps.</p>

     </li>

     <li>

      <p>If <var title="">new value</var> matches a suffix in the
      Public Suffix List, or, if <var title="">new value</var>,
      prefixed by a U+002E FULL STOP (.), matches the end of a
      suffix in the Public Suffix List, then throw a
      <code><a href="common-dom-interfaces.html#security_err">SECURITY_ERR</a></code> exception and abort these steps. <a href="references.html#refsPSL">[PSL]</a></p>

      <p>Suffixes must be compared after applying the IDNA ToASCII
      algorithm to them, with both the AllowUnassigned and
      UseSTD3ASCIIRules flags set, in an <a href="infrastructure.html#ascii-case-insensitive">ASCII
      case-insensitive</a> manner. <a href="references.html#refsRFC3490">[RFC3490]</a></p>

     </li>

    </ol></li>

   <li><p>Release the <a href="webappapis.html#storage-mutex">storage mutex</a>.</p></li>

   <li>

    <p>Set the attribute's value to <var title="">new value</var>.</p>

   </li>

   <li>

    <p>Set the host part of the <a href="#effective-script-origin">effective script origin</a>
    tuple of the <code><a href="infrastructure.html#document">Document</a></code> to <var title="">new
    value</var>.</p>

   </li>

   <li>

    <p>Set the port part of the <a href="#effective-script-origin">effective script origin</a>
    tuple of the <code><a href="infrastructure.html#document">Document</a></code> to "manual override" (a value
    that, for the purposes of <a href="#same-origin" title="same origin">comparing
    origins</a>, is identical to "manual override" but not
    identical to any other value).</p>

   </li>

  </ol><p>The <dfn id="the-document-s-domain" title="the document's domain">domain</dfn> of a
  <code><a href="infrastructure.html#document">Document</a></code> is the host part of the document's
  <a href="#origin">origin</a>, if that is a scheme/host/port tuple. If it
  isn't, then the document does not have a domain.</p>

  </div><p class="note">The <code title="dom-document-domain"><a href="#dom-document-domain">domain</a></code>
  attribute is used to enable pages on different hosts of a domain to
  access each others' DOMs.</p><p class="warning">Do not use the <code title="dom-document-domain"><a href="#dom-document-domain">document.domain</a></code> attribute when
  using shared hosting. If an untrusted third party is able to host an
  HTTP server at the same IP address but on a different port, then the
  same-origin protection that normally protects two different sites on
  the same host will fail, as the ports are ignored when comparing
  origins after the <code title="dom-document-domain"><a href="#dom-document-domain">document.domain</a></code> attribute has
  been used.</p></body></html>