"Same-site" and "same-origin"

Eiji Kitamura
Eiji Kitamura

"Same-site" and "same-origin" are frequently cited but often misunderstood terms. For example, they're used in the context of page transitions, fetch() requests, cookies, opening popups, embedded resources, and iframes. This page explains what they are and how they're different from each other.

Origin

Origin
The structure of an origin.

"Origin" is a combination of a scheme (also known as the protocol, for example HTTP or HTTPS), a hostname, and a port (if specified). For example, given a URL of https://www.example.com:443/foo , the "origin" is https://www.example.com:443.

"Same-origin" and "cross-origin"

Websites that have the same combination of scheme, hostname, and port are considered "same-origin". Everything else is considered "cross-origin".

Origin A Origin B "Same-origin" or "cross-origin"?
https://www.example.com:443 https://www.evil.com:443 Cross-origin: different domains
https://example.com:443 Cross-origin: different subdomains
https://login.example.com:443 Cross-origin: different subdomains
http://www.example.com:443 Cross-origin: different schemes
https://www.example.com:80 Cross-origin: different ports
https://www.example.com:443 Same-origin: exact match
https://www.example.com Same-origin: implicit port number (443) matches

Site

Site (TLD+1)
The parts of a URL that make up a site.

Top-level domains (TLDs) such as .com and .org are listed in the Root Zone Database. In the previous
example, "site" is a combination of the scheme, the TLD, and the part of the domain just before it (We call it TLD+1). For example, given a URL of https://www.example.com:443/foo, the "site" is https://example.com.

Public Suffix List and eTLD

For domains with elements such as .co.jp or .github.io, just using .jp or .io isn't specific enough to identify the "site". There's no way to algorithmically determine the level of registrable domains for a particular TLD. To help with that, the Public Suffix List defines a list of public suffixes, also called effective TLDs (eTLDs). The list of eTLDs is maintained at publicsuffix.org/list.

To identify the "site" part of a domain that includes an eTLD, apply the same practice as the example with .com. Taking https://www.project.github.io:443/foo as an example, the scheme is https, the eTLD is .github.io and the eTLD+1 is project.github.io, so https://project.github.io is considered the "site" for this URL.

Site (eTLD+1)
The parts of a URL with an eTLD.

"same-site" and "cross-site"

Websites that have the same scheme and the same eTLD+1 are considered "same-site". Websites that have a different scheme or a different eTLD+1 are "cross-site".

Origin A Origin B "Same-site" or "cross-site"?
https://www.example.com:443 https://www.evil.com:443 Cross-site: different domains
https://login.example.com:443 Same-site: different subdomains don't matter
http://www.example.com:443 Cross-site: different schemes
https://www.example.com:80 Same-site: different ports don't matter
https://www.example.com:443 Same-site: exact match
https://www.example.com Same-site: ports don't matter

"Schemeless same-site"

schemeless same-site

The definition of "same-site" changed to include the URL scheme as part of the site to prevent HTTP being used as a weak channel. The older concept of "same-site" without scheme comparison is now called "schemeless same-site". For example, http://www.example.com and https://www.example.com are considered schemeless same-site but not same-site, because only the eTLD+1 part matters and the scheme isn't considered.

Origin A Origin B "Schemeless same-site" or "cross-site"?
https://www.example.com:443 https://www.evil.com:443 Cross-site: different domains
https://login.example.com:443 Schemeless same-site: different subdomains don't matter
http://www.example.com:443 Schemeless same-site: different schemes don't matter
https://www.example.com:80 Schemeless same-site: different ports don't matter
https://www.example.com:443 Schemeless same-site: exact match
https://www.example.com Schemeless same-site: ports don't matter

How to check if a request is "same-site", "same-origin", or "cross-site"

Browser Support

  • Chrome: 76.
  • Edge: 79.
  • Firefox: 90.
  • Safari: 16.4.

Source

All modern browsers send requests with a Sec-Fetch-Site HTTP header. The header has one of the following values:

  • cross-site
  • same-site (refers to schemeful same-site)
  • same-origin
  • none

You can examine the value of Sec-Fetch-Site to determine whether the request is same-site, same-origin, or cross-site.

You can reasonably trust the value of the Sec-Fetch-Site header, because: