Skip to content
Learn Measure Blog Case studies About
Join and donate to 🇺🇦 DevFest for Ukraine, a charitable tech conference happening June 14–15 supported by Google Developers and Google Cloud.
On this page
  • Origin
    • "same-origin" and "cross-origin"
  • Site
    • "same-site" and "cross-site"
    • "schemeful same-site"
  • How to check if a request is "same-site", "same-origin", or "cross-site"

Understanding "same-site" and "same-origin"

Apr 15, 2020 — Updated Jun 10, 2020
Available in: Español, 日本語, 한국어, Português, Русский, 中文, English
Appears in: Safe and secure
Eiji Kitamura
Eiji Kitamura
TwitterGitHubHomepage
On this page
  • Origin
    • "same-origin" and "cross-origin"
  • Site
    • "same-site" and "cross-site"
    • "schemeful same-site"
  • How to check if a request is "same-site", "same-origin", or "cross-site"

"same-site" and "same-origin" are frequently cited but often misunderstood terms. For example, they are mentioned in the context of page transitions, fetch() requests, cookies, opening popups, embedded resources, and iframes.

Origin #

Origin

"Origin" is a combination of a scheme (also known as the protocol, for example HTTP or HTTPS), hostname, and port (if specified). For example, given a URL of https://www.example.com:443/foo , the "origin" is https://www.example.com:443.

"same-origin" and "cross-origin" #

Websites that have the combination of the same scheme, hostname, and port are considered "same-origin". Everything else is considered "cross-origin".

Origin AOrigin BExplanation of whether Origin A and B are "same-origin" or "cross-origin"
https://www.example.com:443https://www.evil.com:443cross-origin: different domains
https://example.com:443cross-origin: different subdomains
https://login.example.com:443cross-origin: different subdomains
http://www.example.com:443cross-origin: different schemes
https://www.example.com:80cross-origin: different ports
https://www.example.com:443same-origin: exact match
https://www.example.comsame-origin: implicit port number (443) matches

Site #

Site

Top-level domains (TLDs) such as .com and .org are listed in the Root Zone Database. In the example above, "site" is the combination of the TLD and the part of the domain just before it. For example, given a URL of https://www.example.com:443/foo , the "site" is example.com.

However, for domains such as .co.jp or .github.io, just using the TLD of .jp or .io is not granular enough to identify the "site". And there is no way to algorithmically determine the level of registrable domains for a particular TLD. That's why a list of "effective TLDs"(eTLDs) was created. These are defined in the Public Suffix List. The list of eTLDs is maintained at publicsuffix.org/list.

The whole site name is known as the eTLD+1. For example, given a URL of https://my-project.github.io , the eTLD is .github.io and the eTLD+1 is my-project.github.io, which is considered a "site". In other words, the eTLD+1 is the effective TLD and the part of the domain just before it.

eTLD+1

"same-site" and "cross-site" #

Websites that have the same eTLD+1 are considered "same-site". Websites that have a different eTLD+1 are "cross-site".

Origin AOrigin BExplanation of whether Origin A and B are "same-site" or "cross-site"
https://www.example.com:443https://www.evil.com:443cross-site: different domains
https://login.example.com:443same-site: different subdomains don't matter
http://www.example.com:443same-site: different schemes don't matter
https://www.example.com:80same-site: different ports don't matter
https://www.example.com:443same-site: exact match
https://www.example.comsame-site: ports don't matter

"schemeful same-site" #

schemeful same-site

The definition of "same-site" is evolving to consider the URL scheme as part of the site in order to prevent HTTP being used as a weak channel. As browsers move to this interpretation you may see references to "scheme-less same-site" when referring to the older definition and "schemeful same-site" referring to the stricter definition. In that case, http://www.example.com and https://www.example.com are considered cross-site because the schemes don't match.

Origin AOrigin BExplanation of whether Origin A and B are "schemeful same-site"
https://www.example.com:443https://www.evil.com:443cross-site: different domains
https://login.example.com:443schemeful same-site: different subdomains don't matter
http://www.example.com:443cross-site: different schemes
https://www.example.com:80schemeful same-site: different ports don't matter
https://www.example.com:443schemeful same-site: exact match
https://www.example.comschemeful same-site: ports don't matter

How to check if a request is "same-site", "same-origin", or "cross-site" #

Chrome sends requests along with a Sec-Fetch-Site HTTP header. No other browsers support Sec-Fetch-Site as of April 2020. This is part of a larger Fetch Metadata Request Headers proposal. The header will have one of the following values:

  • cross-site
  • same-site
  • same-origin
  • none

By examining the value of Sec-Fetch-Site, you can determine if the request is "same-site", "same-origin", or "cross-site" ("schemeful-same-site" is not captured in Sec-Fetch-Site).

Security
Last updated: Jun 10, 2020 — Improve article
Return to all articles
Share
subscribe

Contribute

  • File a bug
  • View source

Related content

  • developer.chrome.com
  • Chrome updates
  • Web Fundamentals
  • Case studies
  • Podcasts
  • Shows

Connect

  • Twitter
  • YouTube
  • Google Developers
  • Chrome
  • Firebase
  • Google Cloud Platform
  • All products
  • Terms & Privacy
  • Community Guidelines

Except as otherwise noted, the content of this page is licensed under the Creative Commons Attribution 4.0 License, and code samples are licensed under the Apache 2.0 License. For details, see the Google Developers Site Policies.