RFC 6454 - The Web Origin Concept
Publication Date: December 2011
Status: Standards Track
Author: A. Barth (Google, Inc.)
Abstract
This document defines the concept of an "origin", which is often used as the scope of authority or privilege by user agents. Typically, user agents isolate content retrieved from different origins to prevent malicious web site operators from interfering with the operation of benign web sites. In addition to outlining the principles that underlie the concept of origin, this document details how to determine the origin of a URI and how to serialize an origin into a string. It also defines an HTTP header field, named "Origin", that indicates which origins are associated with an HTTP request.
Table of Contents
- 1. Introduction
- 2. Conventions
- 2.1 Conformance Criteria
- 2.2 Syntax Notation
- 2.3 Terminology
- 3. Principles of the Same-Origin Policy
- 3.1 Trust
- 3.2 Origin
- 3.3 Authority
- 3.4 Policy
- 3.5 Conclusion
- 4. Origin of a URI
- 5. Comparing Origins
- 6. Serializing Origins
- 6.1 Unicode Serialization of an Origin
- 6.2 ASCII Serialization of an Origin
- 7. The HTTP Origin Header Field
- 7.1 Syntax
- 7.2 Semantics
- 7.3 User Agent Requirements
- 8. Security Considerations
- 8.1 Reliance on DNS
- 8.2 Divergent Units of Isolation
- 8.3 Ambient Authority
- 8.4 IDNA Dependency and Migration
- 9. IANA Considerations
- 10. References
- 10.1 Normative References
- 10.2 Informative References
Appendices
Related Resources
- Official Text: RFC 6454
- Official Page: RFC 6454 DataTracker
- Errata: RFC Editor Errata