ghopp
/
server_playground
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
Another abandoned server code base... this is kind of an ancestor of taskrambler.
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
160 Commits
1 Branch
0 Tags
51 MiB
 
 
 
 
 
 
Tree: 2a98883031
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '2a98883031'
${ noResults }
server_playground/doc/www.w3.org/TR/html5/origin-0.html

885 lines
45 KiB
Raw Blame History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html lang="en-US-x-Hixie" ><head><title>5.3 Origin &#8212; HTML5 </title><style type="text/css">
pre { margin-left: 2em; white-space: pre-wrap; }
h2 { margin: 3em 0 1em 0; }
h3 { margin: 2.5em 0 1em 0; }
h4 { margin: 2.5em 0 0.75em 0; }
h5, h6 { margin: 2.5em 0 1em; }
h1 + h2, h1 + h2 + h2 { margin: 0.75em 0 0.75em; }
h2 + h3, h3 + h4, h4 + h5, h5 + h6 { margin-top: 0.5em; }
p { margin: 1em 0; }
hr:not(.top) { display: block; background: none; border: none; padding: 0; margin: 2em 0; height: auto; }
dl, dd { margin-top: 0; margin-bottom: 0; }
dt { margin-top: 0.75em; margin-bottom: 0.25em; clear: left; }
dt + dt { margin-top: 0; }
dd dt { margin-top: 0.25em; margin-bottom: 0; }
dd p { margin-top: 0; }
dd dl + p { margin-top: 1em; }
dd table + p { margin-top: 1em; }
p + * > li, dd li { margin: 1em 0; }
dt, dfn { font-weight: bold; font-style: normal; }
dt dfn { font-style: italic; }
pre, code { font-size: inherit; font-family: monospace; font-variant: normal; }
pre strong { color: black; font: inherit; font-weight: bold; background: yellow; }
pre em { font-weight: bolder; font-style: normal; }
@media screen { code { color: orangered; } code :link, code :visited { color: inherit; } }
var sub { vertical-align: bottom; font-size: smaller; position: relative; top: 0.1em; }
table { border-collapse: collapse; border-style: hidden hidden none hidden; }
table thead, table tbody { border-bottom: solid; }
table tbody th:first-child { border-left: solid; }
table tbody th { text-align: left; }
table td, table th { border-left: solid; border-right: solid; border-bottom: solid thin; vertical-align: top; padding: 0.2em; }
blockquote { margin: 0 0 0 2em; border: 0; padding: 0; font-style: italic; }
.bad, .bad *:not(.XXX) { color: gray; border-color: gray; background: transparent; }
.matrix, .matrix td { border: none; text-align: right; }
.matrix { margin-left: 2em; }
.dice-example { border-collapse: collapse; border-style: hidden solid solid hidden; border-width: thin; margin-left: 3em; }
.dice-example caption { width: 30em; font-size: smaller; font-style: italic; padding: 0.75em 0; text-align: left; }
.dice-example td, .dice-example th { border: solid thin; width: 1.35em; height: 1.05em; text-align: center; padding: 0; }
.toc dfn, h1 dfn, h2 dfn, h3 dfn, h4 dfn, h5 dfn, h6 dfn { font: inherit; }
img.extra { float: right; }
pre.idl { border: solid thin; background: #EEEEEE; color: black; padding: 0.5em 1em; }
pre.idl :link, pre.idl :visited { color: inherit; background: transparent; }
pre.css { border: solid thin; background: #FFFFEE; color: black; padding: 0.5em 1em; }
pre.css:first-line { color: #AAAA50; }
dl.domintro { color: green; margin: 2em 0 2em 2em; padding: 0.5em 1em; border: none; background: #DDFFDD; }
hr + dl.domintro, div.impl + dl.domintro { margin-top: 2.5em; margin-bottom: 1.5em; }
dl.domintro dt, dl.domintro dt * { color: black; text-decoration: none; }
dl.domintro dd { margin: 0.5em 0 1em 2em; padding: 0; }
dl.domintro dd p { margin: 0.5em 0; }
dl.switch { padding-left: 2em; }
dl.switch > dt { text-indent: -1.5em; }
dl.switch > dt:before { content: '\21AA'; padding: 0 0.5em 0 0; display: inline-block; width: 1em; text-align: right; line-height: 0.5em; }
dl.triple { padding: 0 0 0 1em; }
dl.triple dt, dl.triple dd { margin: 0; display: inline }
dl.triple dt:after { content: ':'; }
dl.triple dd:after { content: '\A'; white-space: pre; }
.diff-old { text-decoration: line-through; color: silver; background: transparent; }
.diff-chg, .diff-new { text-decoration: underline; color: green; background: transparent; }
a .diff-new { border-bottom: 1px blue solid; }
h2 { page-break-before: always; }
h1, h2, h3, h4, h5, h6 { page-break-after: avoid; }
h1 + h2, hr + h2.no-toc { page-break-before: auto; }
p > span:not([title=""]):not([class="XXX"]):not([class="impl"]):not([class="note"]),
li > span:not([title=""]):not([class="XXX"]):not([class="impl"]):not([class="note"]), { border-bottom: solid #9999CC; }
div.head { margin: 0 0 1em; padding: 1em 0 0 0; }
div.head p { margin: 0; }
div.head h1 { margin: 0; }
div.head .logo { float: right; margin: 0 1em; }
div.head .logo img { border: none } /* remove border from top image */
div.head dl { margin: 1em 0; }
div.head p.copyright, div.head p.alt { font-size: x-small; font-style: oblique; margin: 0; }
body > .toc > li { margin-top: 1em; margin-bottom: 1em; }
body > .toc.brief > li { margin-top: 0.35em; margin-bottom: 0.35em; }
body > .toc > li > * { margin-bottom: 0.5em; }
body > .toc > li > * > li > * { margin-bottom: 0.25em; }
.toc, .toc li { list-style: none; }
.brief { margin-top: 1em; margin-bottom: 1em; line-height: 1.1; }
.brief li { margin: 0; padding: 0; }
.brief li p { margin: 0; padding: 0; }
.category-list { margin-top: -0.75em; margin-bottom: 1em; line-height: 1.5; }
.category-list::before { content: '\21D2\A0'; font-size: 1.2em; font-weight: 900; }
.category-list li { display: inline; }
.category-list li:not(:last-child)::after { content: ', '; }
.category-list li > span, .category-list li > a { text-transform: lowercase; }
.category-list li * { text-transform: none; } /* don't affect <code> nested in <a> */
.XXX { color: #E50000; background: white; border: solid red; padding: 0.5em; margin: 1em 0; }
.XXX > :first-child { margin-top: 0; }
p .XXX { line-height: 3em; }
.annotation { border: solid thin black; background: #0C479D; color: white; position: relative; margin: 8px 0 20px 0; }
.annotation:before { position: absolute; left: 0; top: 0; width: 100%; height: 100%; margin: 6px -6px -6px 6px; background: #333333; z-index: -1; content: ''; }
.annotation :link, .annotation :visited { color: inherit; }
.annotation :link:hover, .annotation :visited:hover { background: transparent; }
.annotation span { border: none ! important; }
.note { color: green; background: transparent; font-family: sans-serif; }
.warning { color: red; background: transparent; }
.note, .warning { font-weight: bolder; font-style: italic; }
p.note, div.note { padding: 0.5em 2em; }
span.note { padding: 0 2em; }
.note p:first-child, .warning p:first-child { margin-top: 0; }
.note p:last-child, .warning p:last-child { margin-bottom: 0; }
.warning:before { font-style: normal; }
p.note:before { content: 'Note: '; }
p.warning:before { content: '\26A0 Warning! '; }
.bookkeeping:before { display: block; content: 'Bookkeeping details'; font-weight: bolder; font-style: italic; }
.bookkeeping { font-size: 0.8em; margin: 2em 0; }
.bookkeeping p { margin: 0.5em 2em; display: list-item; list-style: square; }
.bookkeeping dt { margin: 0.5em 2em 0; }
.bookkeeping dd { margin: 0 3em 0.5em; }
h4 { position: relative; z-index: 3; }
h4 + .element, h4 + div + .element { margin-top: -2.5em; padding-top: 2em; }
.element {
background: #EEEEFF;
color: black;
margin: 0 0 1em 0.15em;
padding: 0 1em 0.25em 0.75em;
border-left: solid #9999FF 0.25em;
position: relative;
z-index: 1;
}
.element:before {
position: absolute;
z-index: 2;
top: 0;
left: -1.15em;
height: 2em;
width: 0.9em;
background: #EEEEFF;
content: ' ';
border-style: none none solid solid;
border-color: #9999FF;
border-width: 0.25em;
}
.example { display: block; color: #222222; background: #FCFCFC; border-left: double; margin-left: 2em; padding-left: 1em; }
td > .example:only-child { margin: 0 0 0 0.1em; }
ul.domTree, ul.domTree ul { padding: 0 0 0 1em; margin: 0; }
ul.domTree li { padding: 0; margin: 0; list-style: none; position: relative; }
ul.domTree li li { list-style: none; }
ul.domTree li:first-child::before { position: absolute; top: 0; height: 0.6em; left: -0.75em; width: 0.5em; border-style: none none solid solid; content: ''; border-width: 0.1em; }
ul.domTree li:not(:last-child)::after { position: absolute; top: 0; bottom: -0.6em; left: -0.75em; width: 0.5em; border-style: none none solid solid; content: ''; border-width: 0.1em; }
ul.domTree span { font-style: italic; font-family: serif; }
ul.domTree .t1 code { color: purple; font-weight: bold; }
ul.domTree .t2 { font-style: normal; font-family: monospace; }
ul.domTree .t2 .name { color: black; font-weight: bold; }
ul.domTree .t2 .value { color: blue; font-weight: normal; }
ul.domTree .t3 code, .domTree .t4 code, .domTree .t5 code { color: gray; }
ul.domTree .t7 code, .domTree .t8 code { color: green; }
ul.domTree .t10 code { color: teal; }
body.dfnEnabled dfn { cursor: pointer; }
.dfnPanel {
display: inline;
position: absolute;
z-index: 10;
height: auto;
width: auto;
padding: 0.5em 0.75em;
font: small sans-serif, Droid Sans Fallback;
background: #DDDDDD;
color: black;
border: outset 0.2em;
}
.dfnPanel * { margin: 0; padding: 0; font: inherit; text-indent: 0; }
.dfnPanel :link, .dfnPanel :visited { color: black; }
.dfnPanel p { font-weight: bolder; }
.dfnPanel * + p { margin-top: 0.25em; }
.dfnPanel li { list-style-position: inside; }
#configUI { position: absolute; z-index: 20; top: 10em; right: 1em; width: 11em; font-size: small; }
#configUI p { margin: 0.5em 0; padding: 0.3em; background: #EEEEEE; color: black; border: inset thin; }
#configUI p label { display: block; }
#configUI #updateUI, #configUI .loginUI { text-align: center; }
#configUI input[type=button] { display: block; margin: auto; }
fieldset { margin: 1em; padding: 0.5em 1em; }
fieldset > legend + * { margin-top: 0; }
fieldset > :last-child { margin-bottom: 0; }
fieldset p { margin: 0.5em 0; }
.stability {
position: fixed;
bottom: 0;
left: 0; right: 0;
margin: 0 auto 0 auto !important;
z-index: 1000;
width: 50%;
background: maroon; color: yellow;
-webkit-border-radius: 1em 1em 0 0;
-moz-border-radius: 1em 1em 0 0;
border-radius: 1em 1em 0 0;
-moz-box-shadow: 0 0 1em #500;
-webkit-box-shadow: 0 0 1em #500;
box-shadow: 0 0 1em red;
padding: 0.5em 1em;
text-align: center;
}
.stability strong {
display: block;
}
.stability input {
appearance: none; margin: 0; border: 0; padding: 0.25em 0.5em; background: transparent; color: black;
position: absolute; top: -0.5em; right: 0; font: 1.25em sans-serif; text-align: center;
}
.stability input:hover {
color: white;
text-shadow: 0 0 2px black;
}
.stability input:active {
padding: 0.3em 0.45em 0.2em 0.55em;
}
.stability :link, .stability :visited,
.stability :link:hover, .stability :visited:hover {
background: transparent;
color: white;
}
</style><link href="data:text/css,.impl%20%7B%20display:%20none;%20%7D%0Ahtml%20%7B%20border:%20solid%20yellow;%20%7D%20.domintro:before%20%7B%20display:%20none;%20%7D" id="author" rel="alternate stylesheet" title="Author documentation only"><link href="data:text/css,.impl%20%7B%20background:%20%23FFEEEE;%20%7D%20.domintro:before%20%7B%20background:%20%23FFEEEE;%20%7D" id="highlight" rel="alternate stylesheet" title="Highlight implementation
requirements"><link href="http://www.w3.org/StyleSheets/TR/W3C-WD" rel="stylesheet" type="text/css"><style type="text/css">
.applies thead th > * { display: block; }
.applies thead code { display: block; }
.applies tbody th { whitespace: nowrap; }
.applies td { text-align: center; }
.applies .yes { background: yellow; }
.matrix, .matrix td { border: hidden; text-align: right; }
.matrix { margin-left: 2em; }
.dice-example { border-collapse: collapse; border-style: hidden solid solid hidden; border-width: thin; margin-left: 3em; }
.dice-example caption { width: 30em; font-size: smaller; font-style: italic; padding: 0.75em 0; text-align: left; }
.dice-example td, .dice-example th { border: solid thin; width: 1.35em; height: 1.05em; text-align: center; padding: 0; }
td.eg { border-width: thin; text-align: center; }
#table-example-1 { border: solid thin; border-collapse: collapse; margin-left: 3em; }
#table-example-1 * { font-family: "Essays1743", serif; line-height: 1.01em; }
#table-example-1 caption { padding-bottom: 0.5em; }
#table-example-1 thead, #table-example-1 tbody { border: none; }
#table-example-1 th, #table-example-1 td { border: solid thin; }
#table-example-1 th { font-weight: normal; }
#table-example-1 td { border-style: none solid; vertical-align: top; }
#table-example-1 th { padding: 0.5em; vertical-align: middle; text-align: center; }
#table-example-1 tbody tr:first-child td { padding-top: 0.5em; }
#table-example-1 tbody tr:last-child td { padding-bottom: 1.5em; }
#table-example-1 tbody td:first-child { padding-left: 2.5em; padding-right: 0; width: 9em; }
#table-example-1 tbody td:first-child::after { content: leader(". "); }
#table-example-1 tbody td { padding-left: 2em; padding-right: 2em; }
#table-example-1 tbody td:first-child + td { width: 10em; }
#table-example-1 tbody td:first-child + td ~ td { width: 2.5em; }
#table-example-1 tbody td:first-child + td + td + td ~ td { width: 1.25em; }
.apple-table-examples { border: none; border-collapse: separate; border-spacing: 1.5em 0em; width: 40em; margin-left: 3em; }
.apple-table-examples * { font-family: "Times", serif; }
.apple-table-examples td, .apple-table-examples th { border: none; white-space: nowrap; padding-top: 0; padding-bottom: 0; }
.apple-table-examples tbody th:first-child { border-left: none; width: 100%; }
.apple-table-examples thead th:first-child ~ th { font-size: smaller; font-weight: bolder; border-bottom: solid 2px; text-align: center; }
.apple-table-examples tbody th::after, .apple-table-examples tfoot th::after { content: leader(". ") }
.apple-table-examples tbody th, .apple-table-examples tfoot th { font: inherit; text-align: left; }
.apple-table-examples td { text-align: right; vertical-align: top; }
.apple-table-examples.e1 tbody tr:last-child td { border-bottom: solid 1px; }
.apple-table-examples.e1 tbody + tbody tr:last-child td { border-bottom: double 3px; }
.apple-table-examples.e2 th[scope=row] { padding-left: 1em; }
.apple-table-examples sup { line-height: 0; }
.details-example img { vertical-align: top; }
#base64-table {
white-space: nowrap;
font-size: 0.6em;
column-width: 6em;
column-count: 5;
column-gap: 1em;
-moz-column-width: 6em;
-moz-column-count: 5;
-moz-column-gap: 1em;
-webkit-column-width: 6em;
-webkit-column-count: 5;
-webkit-column-gap: 1em;
}
#base64-table thead { display: none; }
#base64-table * { border: none; }
#base64-table tbody td:first-child:after { content: ':'; }
#base64-table tbody td:last-child { text-align: right; }
#named-character-references-table {
white-space: nowrap;
font-size: 0.6em;
column-width: 30em;
column-gap: 1em;
-moz-column-width: 30em;
-moz-column-gap: 1em;
-webkit-column-width: 30em;
-webkit-column-gap: 1em;
}
#named-character-references-table > table > tbody > tr > td:first-child + td,
#named-character-references-table > table > tbody > tr > td:last-child { text-align: center; }
#named-character-references-table > table > tbody > tr > td:last-child:hover > span { position: absolute; top: auto; left: auto; margin-left: 0.5em; line-height: 1.2; font-size: 5em; border: outset; padding: 0.25em 0.5em; background: white; width: 1.25em; height: auto; text-align: center; }
#named-character-references-table > table > tbody > tr#entity-CounterClockwiseContourIntegral > td:first-child { font-size: 0.5em; }
.glyph.control { color: red; }
@font-face {
font-family: 'Essays1743';
src: url('http://www.whatwg.org/specs/web-apps/current-work/fonts/Essays1743.ttf');
}
@font-face {
font-family: 'Essays1743';
font-weight: bold;
src: url('http://www.whatwg.org/specs/web-apps/current-work/fonts/Essays1743-Bold.ttf');
}
@font-face {
font-family: 'Essays1743';
font-style: italic;
src: url('http://www.whatwg.org/specs/web-apps/current-work/fonts/Essays1743-Italic.ttf');
}
@font-face {
font-family: 'Essays1743';
font-style: italic;
font-weight: bold;
src: url('http://www.whatwg.org/specs/web-apps/current-work/fonts/Essays1743-BoldItalic.ttf');
}
</style><style type="text/css">
.domintro:before { display: table; margin: -1em -0.5em -0.5em auto; width: auto; content: 'This box is non-normative. Implementation requirements are given below this box.'; color: black; font-style: italic; border: solid 2px; background: white; padding: 0 0.25em; }
</style><script type="text/javascript">
function getCookie(name) {
var params = location.search.substr(1).split("&");
for (var index = 0; index < params.length; index++) {
if (params[index] == name)
return "1";
var data = params[index].split("=");
if (data[0] == name)
return unescape(data[1]);
}
var cookies = document.cookie.split("; ");
for (var index = 0; index < cookies.length; index++) {
var data = cookies[index].split("=");
if (data[0] == name)
return unescape(data[1]);
}
return null;
}
</script>
<script src="link-fixup.js" type="text/javascript"></script>
<link href="style.css" rel="stylesheet"><link href="browsers.html" title="5 Loading Web pages" rel="prev">
<link href="spec.html#contents" title="Table of contents" rel="index">
<link href="history.html" title="5.4 Session history and navigation" rel="next">
</head><body><div class="head" id="head">
<div id="multipage-common">
<p class="stability" id="wip"><strong>This is a work in
progress!</strong> For the latest updates from the HTML WG, possibly
including important bug fixes, please look at the <a href="http://dev.w3.org/html5/spec/Overview.html">editor's draft</a> instead.
There may also be a more
<a href="http://www.w3.org/TR/html5">up-to-date Working Draft</a>
with changes based on resolution of Last Call issues.
<input onclick="closeWarning(this.parentNode)" type="button" value="&#9587;&#8413;"></p>
<script type="text/javascript">
function closeWarning(element) {
element.parentNode.removeChild(element);
var date = new Date();
date.setDate(date.getDate()+4);
document.cookie = 'hide-obsolescence-warning=1; expires=' + date.toGMTString();
}
if (getCookie('hide-obsolescence-warning') == '1')
setTimeout(function () { document.getElementById('wip').parentNode.removeChild(document.getElementById('wip')); }, 2000);
</script></div>
<p><a href="http://www.w3.org/"><img alt="W3C" height="48" src="http://www.w3.org/Icons/w3c_home" width="72"></a></p>
<h1>HTML5</h1>
</div><div>
<a href="browsers.html" class="prev">5 Loading Web pages</a> &#8211;
<a href="spec.html#contents">Table of contents</a> &#8211;
<a href="history.html" class="next">5.4 Session history and navigation</a>
<ol class="toc"><li><ol><li><a href="origin-0.html#origin-0"><span class="secno">5.3 </span>Origin</a>
<ol><li><a href="origin-0.html#relaxing-the-same-origin-restriction"><span class="secno">5.3.1 </span>Relaxing the same-origin restriction</a></li></ol></li></ol></li></ol></div>
<h3 id="origin-0"><span class="secno">5.3 </span>Origin</h3><p>The <dfn id="origin">origin</dfn> of a resource and the <dfn id="effective-script-origin">effective script
origin</dfn> of a resource are both either opaque identifiers or
tuples consisting of a scheme component, a host component, a port
component, and optionally extra data.</p><p class="note">The extra data could include the certificate of the
site when using encrypted connections, to ensure that if the site's
secure certificate changes, the origin is considered to change as
well.</p><div class="impl">
<p>These characteristics are defined as follows:</p>
<dl><dt>For URLs</dt>
<dd>
<p>The <a href="#origin">origin</a> and <a href="#effective-script-origin">effective script
origin</a> of the <a href="urls.html#url">URL</a> is whatever is returned by
the following algorithm:</p>
<ol><li><p>Let <var title="">url</var> be the <a href="urls.html#url">URL</a> for
which the <a href="#origin">origin</a> is being determined.</p></li>
<li><p><a href="urls.html#parse-a-url" title="parse a url">Parse</a> <var title="">url</var>.</p></li>
<li><p>If <var title="">url</var> identifies a resource that is
its own trust domain (e.g. it identifies an e-mail on an IMAP
server or a post on an NNTP server) then return a globally unique
identifier specific to the resource identified by <var title="">url</var>, so that if this algorithm is invoked again
for <a href="urls.html#url" title="URL">URLs</a> that identify the same resource,
the same identifier will be returned.</p></li>
<li><p>If <var title="">url</var> does not use a server-based
naming authority, or if parsing <var title="">url</var> failed,
or if <var title="">url</var> is not an <a href="urls.html#absolute-url">absolute
URL</a>, then return a new globally unique
identifier.</p></li>
<li><p>Let <var title="">scheme</var> be the <a href="urls.html#url-scheme" title="url-scheme">&lt;scheme&gt;</a> component of <var title="">url</var>, <a href="infrastructure.html#converted-to-ascii-lowercase">converted to ASCII lowercase</a>.</p></li>
<li><p>If the UA doesn't support the protocol given by <var title="">scheme</var>, then return a new globally unique
identifier.</p></li>
<li><p>If <var title="">scheme</var> is "<code title="">file</code>", then the user agent may return a
UA-specific value.</p></li>
<li><p>Let <var title="">host</var> be the <a href="urls.html#url-host" title="url-host">&lt;host&gt;</a> component of <var title="">url</var>.</p></li>
<li>
<p>Apply the IDNA ToASCII algorithm to <var title="">host</var>,
with both the AllowUnassigned and UseSTD3ASCIIRules flags
set. Let <var title="">host</var> be the result of the ToASCII
algorithm.</p>
<p>If ToASCII fails to convert one of the components of the
string, e.g. because it is too long or because it contains
invalid characters, then return a new globally unique
identifier. <a href="references.html#refsRFC3490">[RFC3490]</a></p>
</li>
<li><p>Let <var title="">host</var> be the result of converting
<var title="">host</var> <a href="infrastructure.html#converted-to-ascii-lowercase" title="converted to ASCII lowercase">to
ASCII lowercase</a>.</p></li>
<li><p>If there is no <a href="urls.html#url-port" title="url-port">&lt;port&gt;</a>
component, then let <var title="">port</var> be the default port
for the protocol given by <var title="">scheme</var>. Otherwise,
let <var title="">port</var> be the <a href="urls.html#url-port" title="url-port">&lt;port&gt;</a> component of <var title="">url</var>.</p></li>
<li><p>Return the tuple (<var title="">scheme</var>, <var title="">host</var>, <var title="">port</var>).</p></li>
</ol><p>In addition, if the <a href="urls.html#url">URL</a> is in fact associated with
a <code><a href="infrastructure.html#document">Document</a></code> object that was created by parsing the
resource obtained from fetching <a href="urls.html#url">URL</a>, and this was
done over a secure connection, then the server's secure
certificate may be added to the origin as additional data.</p>
</dd>
<dt>For scripts</dt>
<dd>
<p>The <a href="#origin">origin</a> and <a href="#effective-script-origin">effective script
origin</a> of a script are determined from another resource,
called the <i>owner</i>:</p>
<dl class="switch"><dt>If a script is in a <code><a href="scripting-1.html#the-script-element">script</a></code> element</dt>
<dd>The owner is the <code><a href="infrastructure.html#document">Document</a></code> to which the
<code><a href="scripting-1.html#the-script-element">script</a></code> element belongs.</dd>
<dt>If a script is in an <a href="webappapis.html#event-handler-content-attributes" title="event handler content
attributes">event handler content attribute</a></dt>
<dd>The owner is the <code><a href="infrastructure.html#document">Document</a></code> to which the
attribute node belongs.</dd>
<dt>If a script is a function or other code reference created by
another script</dt>
<dd>The owner is the script that created it.</dd>
<dt>If a script is a <a href="webappapis.html#javascript-protocol" title="javascript protocol"><code title="">javascript:</code> URL</a> that was returned as the
location of an HTTP redirect (<a href="fetching-resources.html#concept-http-equivalent-codes" title="concept-http-equivalent-codes">or equivalent</a> in
other protocols)</dt>
<dd>The owner is the <a href="urls.html#url">URL</a> that redirected to the
<a href="webappapis.html#javascript-protocol" title="javascript protocol"><code title="">javascript:</code> URL</a>.</dd>
<dt>If a script is a <a href="webappapis.html#javascript-protocol" title="javascript protocol"><code title="">javascript:</code> URL</a> in an attribute</dt>
<dd>The owner is the <code><a href="infrastructure.html#document">Document</a></code> of the element on
which the attribute is found.</dd>
<dt>If a script is a <a href="webappapis.html#javascript-protocol" title="javascript protocol"><code title="">javascript:</code> URL</a> in a style sheet</dt>
<dd>The owner is the <a href="urls.html#url">URL</a> of the style sheet.</dd>
<dt>If a script is a <a href="webappapis.html#javascript-protocol" title="javascript protocol"><code title="">javascript:</code> URL</a> to which a <a href="browsers.html#browsing-context">browsing
context</a> is being <a href="history.html#navigate" title="navigate">navigated</a>,
the URL having been provided by the user (e.g. by using a
<i>bookmarklet</i>)</dt>
<dd>The owner is the <code><a href="infrastructure.html#document">Document</a></code> of the <a href="browsers.html#browsing-context">browsing
context</a>'s <a href="browsers.html#active-document">active document</a>.</dd>
<dt>If a script is a <a href="webappapis.html#javascript-protocol" title="javascript protocol"><code title="">javascript:</code> URL</a> to which a <a href="browsers.html#browsing-context">browsing
context</a> is being <a href="history.html#navigate" title="navigate">navigated</a>,
the URL having been declared in markup</dt>
<dd>The owner is the <code><a href="infrastructure.html#document">Document</a></code> of the element
(e.g. an <code><a href="text-level-semantics.html#the-a-element">a</a></code> or <code><a href="the-map-element.html#the-area-element">area</a></code> element) that
declared the URL.</dd>
<dt>If a script is a <a href="webappapis.html#javascript-protocol" title="javascript protocol"><code title="">javascript:</code> URL</a> to which a <a href="browsers.html#browsing-context">browsing
context</a> is being <a href="history.html#navigate" title="navigate">navigated</a>,
the URL having been provided by script</dt>
<dd>The owner is the script that provided the URL.</dd>
</dl><p>The <a href="#origin">origin</a> of the script is then equal to the
<a href="#origin">origin</a> of the owner, and the <a href="#effective-script-origin">effective script
origin</a> of the script is equal to the <a href="#effective-script-origin">effective script
origin</a> of the owner.</p>
</dd>
<dt>For <code><a href="infrastructure.html#document">Document</a></code> objects and images</dt>
<dd>
<dl class="switch"><dt id="sandboxOrigin">If a <code><a href="infrastructure.html#document">Document</a></code> is in a
<a href="browsers.html#browsing-context">browsing context</a> whose <a href="the-iframe-element.html#sandboxed-origin-browsing-context-flag">sandboxed origin
browsing context flag</a> was set when the
<code><a href="infrastructure.html#document">Document</a></code> was created</dt>
<dt>If a <code><a href="infrastructure.html#document">Document</a></code> was generated from a resource
labeled as <code><a href="iana.html#text-html-sandboxed">text/html-sandboxed</a></code></dt>
<dd>The <a href="#origin">origin</a> is a globally unique identifier
assigned when the <code><a href="infrastructure.html#document">Document</a></code> is created.</dd>
<dt>If a <code><a href="infrastructure.html#document">Document</a></code> or image was generated from a
<a href="webappapis.html#javascript-protocol" title="javascript protocol"><code>javascript:</code>
URL</a></dt>
<dd>The <a href="#origin">origin</a> is equal to the <a href="#origin">origin</a>
of the script of that <a href="webappapis.html#javascript-protocol" title="javascript
protocol"><code>javascript:</code> URL</a>.</dd>
<dt>If a <code><a href="infrastructure.html#document">Document</a></code> or image was served over the
network and has an address that uses a URL scheme with a
server-based naming authority</dt>
<dd>The <a href="#origin">origin</a> is the <a href="#origin">origin</a> of the
<a href="dom.html#the-document-s-address" title="the document's address">address</a> of the
<code><a href="infrastructure.html#document">Document</a></code> or the <a href="urls.html#url">URL</a> of the image, as
appropriate.</dd>
<dt>If a <code><a href="infrastructure.html#document">Document</a></code> or image was generated from a
<a href="infrastructure.html#data-protocol" title="data protocol"><code title="">data:</code>
URL</a> that was returned as the location of an HTTP redirect
(<a href="fetching-resources.html#concept-http-equivalent-codes" title="concept-http-equivalent-codes">or equivalent</a>
in other protocols)</dt>
<dd>The <a href="#origin">origin</a> is the <a href="#origin">origin</a> of the
<a href="urls.html#url">URL</a> that redirected to the <a href="infrastructure.html#data-protocol" title="data
protocol"><code title="">data:</code> URL</a>.</dd>
<dt>If a <code><a href="infrastructure.html#document">Document</a></code> or image was generated from a
<a href="infrastructure.html#data-protocol" title="data protocol"><code title="">data:</code>
URL</a> found in another <code><a href="infrastructure.html#document">Document</a></code> or in a
script</dt>
<dd>The <a href="#origin">origin</a> is the <a href="#origin">origin</a> of the
<code><a href="infrastructure.html#document">Document</a></code> or script that initiated the <a href="history.html#navigate" title="navigate">navigation</a> to that <a href="urls.html#url">URL</a>.</dd>
<dt>If a <code><a href="infrastructure.html#document">Document</a></code> has the <a href="dom.html#the-document-s-address" title="the
document's address">address</a>
"<code><a href="fetching-resources.html#about:blank">about:blank</a></code>"</dt>
<dd>The <a href="#origin">origin</a> of the <code><a href="infrastructure.html#document">Document</a></code> is <a href="browsers.html#about-blank-origin">the <span>origin</span> it was
assigned when its browsing context was created</a>.</dd>
<dt>If a <code><a href="infrastructure.html#document">Document</a></code> is <a href="the-iframe-element.html#an-iframe-srcdoc-document">an <code>iframe</code> <code title="attr-iframe-srcdoc">srcdoc</code> document</a></dt>
<dd>The <a href="#origin">origin</a> of the <code><a href="infrastructure.html#document">Document</a></code> is the
<a href="#origin">origin</a> of the <code><a href="infrastructure.html#document">Document</a></code>'s <a href="browsers.html#browsing-context">browsing
context</a>'s <a href="browsers.html#browsing-context-container">browsing context container</a>'s
<code><a href="infrastructure.html#document">Document</a></code>.</dd>
<dt>If a <code><a href="infrastructure.html#document">Document</a></code> or image was obtained in some
other manner (e.g. a <a href="infrastructure.html#data-protocol" title="data protocol"><code title="">data:</code> URL</a> typed in by the user, a
<code><a href="infrastructure.html#document">Document</a></code> created using the <code title="dom-DOMImplementation-createDocument"><a href="infrastructure.html#dom-domimplementation-createdocument">createDocument()</a></code>
API, etc)</dt>
<dd>The <a href="#origin">origin</a> is a globally unique identifier
assigned when the <code><a href="infrastructure.html#document">Document</a></code> or image is created.</dd>
</dl><p>When a <code><a href="infrastructure.html#document">Document</a></code> is created, its <a href="#effective-script-origin">effective
script origin</a> is initialized to the <a href="#origin">origin</a> of
the <code><a href="infrastructure.html#document">Document</a></code>. However, the <code title="dom-document-domain"><a href="#dom-document-domain">document.domain</a></code> attribute can
be used to change it.</p>
</dd>
<dt>For <code><a href="the-iframe-element.html#the-audio-element">audio</a></code> and <code><a href="the-iframe-element.html#the-video-element">video</a></code> elements</dt>
<dd>
<p>If value of the <a href="the-iframe-element.html#media-element">media element</a>'s <code title="dom-media-currentSrc"><a href="the-iframe-element.html#dom-media-currentsrc">currentSrc</a></code> attribute is the
empty string, the <a href="#origin">origin</a> is the same as the
<a href="#origin">origin</a> of the element's <code><a href="infrastructure.html#document">Document</a></code>'s
<a href="#origin">origin</a>.</p>
<p>Otherwise, the <a href="#origin">origin</a> is equal to the
<a href="#origin">origin</a> of the <a href="urls.html#absolute-url">absolute URL</a> given by the
<a href="the-iframe-element.html#media-element">media element</a>'s <code title="dom-media-currentSrc"><a href="the-iframe-element.html#dom-media-currentsrc">currentSrc</a></code> attribute.</p>
</dd>
<dt>For fonts</dt>
<dd>
<p>The <a href="#origin">origin</a> of a downloadable Web font is equal to
the <a href="#origin">origin</a> of the <a href="urls.html#absolute-url">absolute URL</a> used to
obtain the font (after any redirects). <a href="references.html#refsCSSFONTS">[CSSFONTS]</a></p>
<p>The <a href="#origin">origin</a> of a locally installed system font is
equal to the <a href="#origin">origin</a> of the <code><a href="infrastructure.html#document">Document</a></code> in
which that font is being used.</p>
</dd>
</dl><p>Other specifications can override the above definitions by
themselves specifying the origin of a particular URL, script,
<code><a href="infrastructure.html#document">Document</a></code>, or image.</p>
<hr><p>The <dfn id="unicode-serialization-of-an-origin">Unicode serialization of an origin</dfn> is the string
obtained by applying the following algorithm to the given
<a href="#origin">origin</a>:</p>
<ol><li><p>If the <a href="#origin">origin</a> in question is not a
scheme/host/port tuple, then return the literal string "<code title="">null</code>" and abort these steps.</p></li>
<li><p>Otherwise, let <var title="">result</var> be the scheme part
of the <a href="#origin">origin</a> tuple.</p></li>
<li><p>Append the string "<code title="">://</code>" to <var title="">result</var>.</p></li>
<li><p>Apply the IDNA ToUnicode algorithm to each component of the
host part of the <a href="#origin">origin</a> tuple, and append the results
&#8212; each component, in the same order, separated by U+002E FULL
STOP characters (.) &#8212; to <var title="">result</var>. <a href="references.html#refsRFC3490">[RFC3490]</a></p></li>
<li><p>If the port part of the <a href="#origin">origin</a> tuple gives a port
that is different from the default port for the protocol given by
the scheme part of the <a href="#origin">origin</a> tuple, then append a
U+003A COLON character (:) and the given port, in base ten, to
<var title="">result</var>.</p></li>
<li><p>Return <var title="">result</var>.</p></li>
</ol><p>The <dfn id="ascii-serialization-of-an-origin">ASCII serialization of an origin</dfn> is the string
obtained by applying the following algorithm to the given
<a href="#origin">origin</a>:</p>
<ol><li><p>If the <a href="#origin">origin</a> in question is not a
scheme/host/port tuple, then return the literal string "<code title="">null</code>" and abort these steps.</p></li>
<li><p>Otherwise, let <var title="">result</var> be the scheme part
of the <a href="#origin">origin</a> tuple.</p></li>
<li><p>Append the string "<code title="">://</code>" to <var title="">result</var>.</p></li>
<li>
<p>Apply the IDNA ToASCII algorithm the host part of the
<a href="#origin">origin</a> tuple, with both the AllowUnassigned and
UseSTD3ASCIIRules flags set, and append the results <var title="">result</var>.</p>
<p>If ToASCII fails to convert one of the components of the
string, e.g. because it is too long or because it contains invalid
characters, then return the empty string and abort these steps. <a href="references.html#refsRFC3490">[RFC3490]</a></p>
</li>
<li><p>If the port part of the <a href="#origin">origin</a> tuple gives a port
that is different from the default port for the protocol given by
the scheme part of the <a href="#origin">origin</a> tuple, then append a
U+003A COLON character (:) and the given port, in base ten, to
<var title="">result</var>.</p></li>
<li><p>Return <var title="">result</var>.</p></li>
</ol><p>Two <a href="#origin" title="origin">origins</a> are said to be the
<dfn id="same-origin">same origin</dfn> if the following algorithm returns true:</p>
<ol><li><p>Let <var title="">A</var> be the first <a href="#origin">origin</a>
being compared, and <var title="">B</var> be the second
<a href="#origin">origin</a> being compared.</p></li>
<li><p>If <var title="">A</var> and <var title="">B</var> are both
opaque identifiers, and their value is equal, then return
true.</p></li>
<li><p>Otherwise, if either <var title="">A</var> or <var title="">B</var> or both are opaque identifiers, return
false.</p></li>
<li><p>If <var title="">A</var> and <var title="">B</var> have
scheme components that are not identical, return false.</p></li>
<li><p>If <var title="">A</var> and <var title="">B</var> have host
components that are not identical, return false.</p></li>
<li><p>If <var title="">A</var> and <var title="">B</var> have port
components that are not identical, return false.</p></li>
<li><p>If either <var title="">A</var> or <var title="">B</var>
have additional data, but that data is not identical for both,
return false.</p></li>
<li><p>Return true.</p></li>
</ol></div><h4 id="relaxing-the-same-origin-restriction"><span class="secno">5.3.1 </span>Relaxing the same-origin restriction</h4><dl class="domintro"><dt><var title="">document</var> . <code title="dom-document-domain"><a href="#dom-document-domain">domain</a></code> [ = <var title="">domain</var> ]</dt>
<dd>
<p>Returns the current domain used for security checks.</p>
<p>Can be set to a value that removes subdomains, to change the
<a href="#effective-script-origin">effective script origin</a> to allow pages on other
subdomains of the same domain (if they do the same thing) to
access each other.</p>
</dd>
</dl><div class="impl">
<p>The <dfn id="dom-document-domain" title="dom-document-domain"><code>domain</code></dfn>
attribute on <code><a href="infrastructure.html#document">Document</a></code> objects must be initialized to
<a href="#the-document-s-domain">the document's domain</a>, if it has one, and the empty
string otherwise. If the value is an IPv6 address, then the square
brackets from the host portion of the <a href="urls.html#url-host" title="url-host">&lt;host&gt;</a> component must be omitted from
the attribute's value.</p>
<p>On getting, the attribute must return its current value, unless
the <code><a href="infrastructure.html#document">Document</a></code> has no <a href="browsers.html#browsing-context">browsing context</a>, in
which case it must return the empty string.</p>
<p>On setting, the user agent must run the following algorithm:</p>
<ol><li>
<p>If the <code><a href="infrastructure.html#document">Document</a></code> has no <a href="browsers.html#browsing-context">browsing
context</a>, throw a <code><a href="common-dom-interfaces.html#security_err">SECURITY_ERR</a></code> exception and
abort these steps.</p>
</li>
<li>
<p>If the new value is an IP address, let <var title="">new
value</var> be the new value. Otherwise, apply the IDNA ToASCII
algorithm to the new value, with both the AllowUnassigned and
UseSTD3ASCIIRules flags set, and let <var title="">new value</var>
be the result of the ToASCII algorithm.</p>
<p>If ToASCII fails to convert one of the components of the
string, e.g. because it is too long or because it contains invalid
characters, then throw a <code><a href="common-dom-interfaces.html#security_err">SECURITY_ERR</a></code> exception and abort
these steps. <a href="references.html#refsRFC3490">[RFC3490]</a></p>
</li>
<li>
<p>If <var title="">new value</var> is not exactly equal to the
current value of the <code title="dom-document-domain"><a href="#dom-document-domain">document.domain</a></code> attribute, then
run these substeps:</p>
<ol><li>
<p>If the current value is an IP address, throw a
<code><a href="common-dom-interfaces.html#security_err">SECURITY_ERR</a></code> exception and abort these steps.</p>
</li>
<li>
<p>If <var title="">new value</var>, prefixed by a U+002E FULL
STOP (.), does not exactly match the end of the current value,
throw a <code><a href="common-dom-interfaces.html#security_err">SECURITY_ERR</a></code> exception and abort these
steps.</p>
</li>
<li>
<p>If <var title="">new value</var> matches a suffix in the
Public Suffix List, or, if <var title="">new value</var>,
prefixed by a U+002E FULL STOP (.), matches the end of a
suffix in the Public Suffix List, then throw a
<code><a href="common-dom-interfaces.html#security_err">SECURITY_ERR</a></code> exception and abort these steps. <a href="references.html#refsPSL">[PSL]</a></p>
<p>Suffixes must be compared after applying the IDNA ToASCII
algorithm to them, with both the AllowUnassigned and
UseSTD3ASCIIRules flags set, in an <a href="infrastructure.html#ascii-case-insensitive">ASCII
case-insensitive</a> manner. <a href="references.html#refsRFC3490">[RFC3490]</a></p>
</li>
</ol></li>
<li><p>Release the <a href="webappapis.html#storage-mutex">storage mutex</a>.</p></li>
<li>
<p>Set the attribute's value to <var title="">new value</var>.</p>
</li>
<li>
<p>Set the host part of the <a href="#effective-script-origin">effective script origin</a>
tuple of the <code><a href="infrastructure.html#document">Document</a></code> to <var title="">new
value</var>.</p>
</li>
<li>
<p>Set the port part of the <a href="#effective-script-origin">effective script origin</a>
tuple of the <code><a href="infrastructure.html#document">Document</a></code> to "manual override" (a value
that, for the purposes of <a href="#same-origin" title="same origin">comparing
origins</a>, is identical to "manual override" but not
identical to any other value).</p>
</li>
</ol><p>The <dfn id="the-document-s-domain" title="the document's domain">domain</dfn> of a
<code><a href="infrastructure.html#document">Document</a></code> is the host part of the document's
<a href="#origin">origin</a>, if that is a scheme/host/port tuple. If it
isn't, then the document does not have a domain.</p>
</div><p class="note">The <code title="dom-document-domain"><a href="#dom-document-domain">domain</a></code>
attribute is used to enable pages on different hosts of a domain to
access each others' DOMs.</p><p class="warning">Do not use the <code title="dom-document-domain"><a href="#dom-document-domain">document.domain</a></code> attribute when
using shared hosting. If an untrusted third party is able to host an
HTTP server at the same IP address but on a different port, then the
same-origin protection that normally protects two different sites on
the same host will fail, as the ports are ignored when comparing
origins after the <code title="dom-document-domain"><a href="#dom-document-domain">document.domain</a></code> attribute has
been used.</p></body></html>