docs.rodeo

MDN Web Docs mirror

Origin

Web content’s origin is defined by the scheme (protocol), hostname (domain), and port of the {{Glossary("URL")}}  used to access it. Two objects have the same origin only when the scheme, hostname, and port all match.

Some operations are restricted to same-origin content, and this restriction can be lifted using {{Glossary("CORS")}} .

Opaque origin

An opaque origin is a special type of browser-internal value that obscures the true origin of a resource (opaque origins are always serialized as null). They are used by the browser to ensure resource isolation as they are never considered equal to any other origin — including other opaque origins.

Opaque origins are applied in cases where the true origin of a resource is sensitive, cannot be safely used for security checks, or does not exist. A resource with an opaque origin will have its {{httpheader("Origin")}}  HTTP header in requests set to null. It will also fail same-origin checks with any other resource, and hence be restricted to only those operations available to cross-origin resources.

Common cases where opaque origins are used include:

Examples

These are same origin because they have the same scheme (http) and hostname (example.com), and the different file path does not matter:

These are same origin because a server delivers HTTP content through port 80 by default:

These are not same origin because they use different schemes:

These are not same origin because they use different hostnames:

These are not same origin because they use different ports:

See also

In this article

View on MDN