Skip to main content

4. Origin of a URI

4. Origin of a URI

The origin of a URI is the value computed by the following algorithm:

  1. If the URI does not use a hierarchical element as a naming authority (see [RFC3986], Section 3.2) or if the URI is not an absolute URI, then generate a fresh globally unique identifier and return that value.

    NOTE: Running this algorithm multiple times for the same URI can produce different values each time. Typically, user agents compute the origin of, for example, an HTML document once and use that origin for subsequent security checks rather than recomputing the origin for each security check.

  2. Let uri-scheme be the scheme component of the URI, converted to lowercase.

  3. If the implementation doesn't support the protocol given by uri-scheme, then generate a fresh globally unique identifier and return that value.

  4. If uri-scheme is "file", the implementation MAY return an implementation-defined value.

    NOTE: Historically, user agents have granted content from the file scheme a tremendous amount of privilege. However, granting all local files such wide privileges can lead to privilege escalation attacks. Some user agents have had success granting local files directory-based privileges, but this approach has not been widely adopted. Other user agents use globally unique identifiers for each file URI, which is the most secure option.

  5. Let uri-host be the host component of the URI, converted to lower case (using the i;ascii-casemap collation defined in [RFC4790]).

    NOTE: This document assumes that the user agent performs Internationalizing Domain Names in Applications (IDNA) processing and validation when constructing the URI. In particular, this document assumes the uri-host will contain only LDH labels because the user agent will have already converted any non-ASCII labels to their corresponding A-labels (see [RFC5890]). For this reason, origin-based security policies are sensitive to the IDNA algorithm employed by the user agent. See Section 8.4 for further discussion.

  6. If there is no port component of the URI:

    1. Let uri-port be the default port for the protocol given by uri-scheme.

    Otherwise:

    1. Let uri-port be the port component of the URI.

  7. Return the triple (uri-scheme, uri-host, uri-port).

Last updated on