CINXE.COM

RFC 6454 - The Web Origin Concept

<!DOCTYPE html> <html data-bs-theme="auto" lang="en"> <head> <meta charset="utf-8"> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <title> RFC 6454 - The Web Origin Concept </title> <meta name="viewport" content="width=device-width, initial-scale=1"> <link href="https://static.ietf.org/fonts/inter/import.css" rel="stylesheet"> <link href="https://static.ietf.org/fonts/noto-sans-mono/import.css" rel="stylesheet"> <link rel="stylesheet" href="https://static.ietf.org/dt/12.28.2/ietf/css/document_html_referenced.css"> <script type="module" crossorigin="" src="https://static.ietf.org/dt/12.28.2/assets/embedded-e653257c.js"></script> <link href="https://static.ietf.org/dt/12.28.2/assets/create-pinia-singleton-091c62b7.js" type="text/javascript" crossorigin="anonymous" rel="modulepreload" as="script" /> <link href="https://static.ietf.org/dt/12.28.2/assets/Scrollbar-7de50899.js" type="text/javascript" crossorigin="anonymous" rel="modulepreload" as="script" /> <script src="https://static.ietf.org/dt/12.28.2/ietf/js/document_html.js"></script> <script src="https://static.ietf.org/dt/12.28.2/ietf/js/theme.js"></script> <link rel="alternate" type="application/atom+xml" title="Document changes" href="/feed/document-changes/rfc6454/"> <meta name="description" content="The Web Origin Concept (RFC 6454, )" > <link rel="apple-touch-icon" sizes="180x180" href="https://static.ietf.org/dt/12.28.2/ietf/images/ietf-logo-nor-180.png"> <link rel="icon" sizes="32x32" href="https://static.ietf.org/dt/12.28.2/ietf/images/ietf-logo-nor-32.png"> <link rel="icon" sizes="16x16" href="https://static.ietf.org/dt/12.28.2/ietf/images/ietf-logo-nor-16.png"> <link rel="manifest" href="/site.webmanifest"> <link rel="mask-icon" href="https://static.ietf.org/dt/12.28.2/ietf/images/ietf-logo-nor-mask.svg" color="#ffffff"> <meta name="msapplication-TileColor" content="#ffffff"> <meta name="theme-color" content="#ffffff"> <meta property="og:title" content="RFC 6454: The Web Origin Concept"> <meta property="og:url" content="https://datatracker.ietf.org/doc/html/rfc6454"> <link rel="canonical" href="https://datatracker.ietf.org/doc/html/rfc6454"> <meta property="og:site_name" content="IETF Datatracker"> <meta property="og:description" content="This document defines the concept of an &quot;origin&quot;, which is often used as the scope of authority or privilege by user agents. Typically, user agents isolate content retrieved from different origins to prevent malicious web site operators from interfering with the operation of benign web sites. In addition to outlining the principles that underlie the concept of origin, this document details how to determine the origin of a URI and how to serialize an origin into a string. It also defines an HTTP header field, named &quot;Origin&quot;, that indicates which origins are associated with an HTTP request. [STANDARDS-TRACK]"> <meta property="og:type" content="article"> <meta property="og:image" content="https://static.ietf.org/dt/12.28.2/ietf/images/ietf-logo-card.png"> <meta property="og:image:alt" content="Logo of the IETF"> <meta property="article:section" content="IETF - Internet Engineering Task Force"> <meta property="og:image:type" content="image/png"> <meta property="og:image:width" content="1200"> <meta property="og:image:height" content="630"> <meta name="twitter:card" content="summary_large_image"> <meta property="article:author" content="Adam Barth"> <style> .diff-form .select2-selection__rendered { direction: rtl; text-align: left; } </style> </head> <body> <noscript><iframe class="status" title="Site status" src="/status/latest"></iframe></noscript> <div class="vue-embed" data-component="Status"></div> <div class="btn-toolbar sidebar-toolbar position-fixed top-0 end-0 m-2 m-lg-3 d-print-none"> <div class="dropdown"> <button class="btn btn-outline-secondary btn-sm me-1 dropdown-toggle d-flex align-items-center" id="bd-theme" type="button" aria-expanded="false" data-bs-toggle="dropdown" aria-label="Toggle theme"> <i class="theme-icon-active bi bi-circle-half"></i> </button> <ul class="dropdown-menu" aria-labelledby="bd-theme"> <li> <button type="button" class="dropdown-item d-flex align-items-center" data-bs-theme-value="light" aria-pressed="false"> <i class="me-2 opacity-50 theme-icon bi bi-sun-fill"></i> Light<i class="bi bi-check2 ms-auto d-none"></i> </button> </li> <li> <button type="button" class="dropdown-item d-flex align-items-center" data-bs-theme-value="dark" aria-pressed="false"> <i class="me-2 opacity-50 theme-icon bi bi-moon-stars-fill"></i> Dark<i class="bi bi-check2 ms-auto d-none"></i> </button> </li> <li> <button type="button" class="dropdown-item d-flex align-items-center active" data-bs-theme-value="auto" aria-pressed="true"> <i class="me-2 opacity-50 theme-icon bi bi-circle-half"></i> Auto<i class="bi bi-check2 ms-auto d-none"></i> </button> </li> </ul> </div> <button class="btn btn-outline-secondary btn-sm sidebar-toggle" type="button" data-bs-toggle="collapse" data-bs-target="#sidebar" aria-expanded="true" aria-controls="sidebar" aria-label="Toggle metadata sidebar" title="Toggle metadata sidebar"> <i class="bi bi-arrow-bar-left sidebar-shown"></i> <i class="bi bi-arrow-bar-right sidebar-collapsed"></i> </button> </div> <nav class="navbar bg-light-subtle px-1 fixed-top d-print-none d-md-none"> <a class="nav-link ps-1" href="/doc/rfc6454/"> RFC 6454 <br class="d-sm-none"> <span class="ms-sm-3 badge rounded-pill badge-ps"> Proposed Standard </span> </a> <button class="navbar-toggler p-1" type="button" data-bs-toggle="collapse" data-bs-target="#docinfo-collapse" aria-controls="docinfo-collapse" aria-expanded="false" aria-label="Show document information"> <span class="navbar-toggler-icon small"></span> </button> <div class="navbar-nav navbar-nav-scroll overscroll-none collapse pt-1" id="docinfo-collapse"> <div class="bg-light-subtle p-0"> <table class="table table-sm table-borderless small"> <tbody class="meta align-top"> <tr> <th scope="row"></th> <th scope="row">Title</th> <td class="edit"></td> <td>The Web Origin Concept</td> </tr> </tbody> <tbody class="meta align-top "> <tr> <th scope="row">Document</th> <th scope="row">Document type</th> <td class="edit"></td> <td> <span class="text-success">RFC - Proposed Standard </span> <br>December 2011 <br> <a class="btn btn-sm btn-warning" title="Click to report an error in the document." href="https://www.rfc-editor.org/errata.php#reportnew" target="_blank"> Report errata </a> <div> Was <a href="/doc/draft-ietf-websec-origin/06/">draft-ietf-websec-origin</a> (<a href="/wg/websec/about/">websec WG</a>) </div> </td> </tr> <tr> <td></td> <th scope="row">Select version</th> <td class="edit"></td> <td> <ul class="revision-list pagination pagination-sm text-center flex-wrap my-0"> <li class="page-item"> <a class="page-link" href="/doc/html/draft-ietf-websec-origin-06" rel="nofollow"> 06 </a> </li> <li class="page-item rfc active"> <a class="page-link" href="/doc/html/rfc6454"> RFC 6454 </a> </li> </ul> </td> </tr> <tr> <td></td> <th scope="row">Compare versions</th> <td class="edit"></td> <td> <form class="form-horizontal diff-form" action="https://author-tools.ietf.org/iddiff" method="get" target="_blank"> <select class="form-select form-select-sm mb-1 select2-field" data-max-entries="1" data-width="resolve" data-allow-clear="false" data-minimum-input-length="0" aria-label="From revision" name="url1"> <option value="rfc6454"> RFC 6454 </option> <option value="draft-ietf-websec-origin-06" selected> draft-ietf-websec-origin-06 </option> <option value="draft-ietf-websec-origin-05"> draft-ietf-websec-origin-05 </option> <option value="draft-ietf-websec-origin-04"> draft-ietf-websec-origin-04 </option> <option value="draft-ietf-websec-origin-03"> draft-ietf-websec-origin-03 </option> <option value="draft-ietf-websec-origin-02"> draft-ietf-websec-origin-02 </option> <option value="draft-ietf-websec-origin-01"> draft-ietf-websec-origin-01 </option> <option value="draft-ietf-websec-origin-00"> draft-ietf-websec-origin-00 </option> </select> <select class="form-select form-select-sm mb-1 select2-field" data-max-entries="1" data-width="resolve" data-allow-clear="false" data-minimum-input-length="0" aria-label="To revision" name="url2"> <option value="rfc6454" selected> RFC 6454 </option> <option value="draft-ietf-websec-origin-06"> draft-ietf-websec-origin-06 </option> <option value="draft-ietf-websec-origin-05"> draft-ietf-websec-origin-05 </option> <option value="draft-ietf-websec-origin-04"> draft-ietf-websec-origin-04 </option> <option value="draft-ietf-websec-origin-03"> draft-ietf-websec-origin-03 </option> <option value="draft-ietf-websec-origin-02"> draft-ietf-websec-origin-02 </option> <option value="draft-ietf-websec-origin-01"> draft-ietf-websec-origin-01 </option> <option value="draft-ietf-websec-origin-00"> draft-ietf-websec-origin-00 </option> </select> <button type="submit" class="btn btn-primary btn-sm" value="--html" name="difftype"> Side-by-side </button> <button type="submit" class="btn btn-primary btn-sm" value="--hwdiff" name="difftype"> Inline </button> </form> </td> </tr> <tr> <td></td> <th scope="row">Author</th> <td class="edit"> </td> <td> <span ><a title="Datatracker profile of Adam Barth" href="/person/abarth@eecs.berkeley.edu" >Adam Barth</a> <a href="mailto:abarth%40eecs.berkeley.edu" aria-label="Compose email to abarth@eecs.berkeley.edu" title="Compose email to abarth@eecs.berkeley.edu"> <i class="bi bi-envelope"></i></a></span> <br> <a class="btn btn-primary btn-sm mt-1" href="mailto:rfc6454@ietf.org?subject=rfc6454" title="Send email to the document authors">Email authors</a> </td> </tr> <tr> <td></td> <th scope="row"> RFC stream </th> <td class="edit"> </td> <td > <img alt="IETF Logo" class="d-lm-none w-25 mt-1" src="https://static.ietf.org/dt/12.28.2/ietf/images/ietf-logo-nor-white.svg" > <img alt="IETF Logo" class="d-dm-none w-25 mt-1" src="https://static.ietf.org/dt/12.28.2/ietf/images/ietf-logo-nor.svg" > </td> </tr> <tr> <td></td> <th scope="row"> Other formats </th> <td class="edit"> </td> <td> <div class="buttonlist"> <a class="btn btn-primary btn-sm" target="_blank" href="https://www.rfc-editor.org/rfc/rfc6454.txt"> <i class="bi bi-file-text"></i> txt </a> <a class="btn btn-primary btn-sm" target="_blank" href="https://www.rfc-editor.org/rfc/rfc6454.html"> <i class="bi bi-file-code"></i> html </a> <a class="btn btn-primary btn-sm" download="rfc6454.pdf" target="_blank" href="https://www.rfc-editor.org/rfc/pdfrfc/rfc6454.txt.pdf"> <i class="bi bi-file-pdf"></i> pdf </a> <a class="btn btn-primary btn-sm" target="_blank" href="/doc/rfc6454/bibtex/"> <i class="bi bi-file-ruled"></i> bibtex </a> </div> </td> </tr> <tr> <td> </td> <th scope="row"> Additional resources </th> <td class="edit"> </td> <td> <a href="https://mailarchive.ietf.org/arch/browse/websec?q=rfc6454 OR %22draft-ietf-websec-origin%22"> Mailing list discussion </a> </td> </tr> </tbody> <tr> <th scope="row"></th> <th scope="row"></th> <td class="edit"></td> <td> <a class="btn btn-sm btn-warning mb-3" target="_blank" href="https://github.com/ietf-tools/datatracker/issues/new/choose"> Report a bug <i class="bi bi-bug"></i> </a> </td> </tr> </table> </div> </div> </nav> <div class="row g-0"> <div class="col-md-9 d-flex justify-content-center lh-sm" data-bs-spy="scroll" data-bs-target="#toc-nav" data-bs-smooth-scroll="true" tabindex="0" id="content"> <div class="rfcmarkup"> <br class="noprint"> <!-- [html-validate-disable-block attr-quotes, void-style, element-permitted-content, heading-level -- FIXME: rfcmarkup/rfc2html generates HTML with issues] --> <div class="rfcmarkup"><pre>Internet Engineering Task Force (IETF) A. Barth Request for Comments: 6454 Google, Inc. Category: Standards Track December 2011 ISSN: 2070-1721 <span class="h1">The Web Origin Concept</span> Abstract This document defines the concept of an &quot;origin&quot;, which is often used as the scope of authority or privilege by user agents. Typically, user agents isolate content retrieved from different origins to prevent malicious web site operators from interfering with the operation of benign web sites. In addition to outlining the principles that underlie the concept of origin, this document details how to determine the origin of a URI and how to serialize an origin into a string. It also defines an HTTP header field, named &quot;Origin&quot;, that indicates which origins are associated with an HTTP request. Status of This Memo This is an Internet Standards Track document. This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in <a href="/doc/html/rfc5741#section-2">Section&nbsp;2 of RFC 5741</a>. Information about the current status of this document, any errata, and how to provide feedback on it may be obtained at <a href="http://www.rfc-editor.org/info/rfc6454">http://www.rfc-editor.org/info/rfc6454</a>. Copyright Notice Copyright (c) 2011 IETF Trust and the persons identified as the document authors. All rights reserved. This document is subject to <a href="/doc/html/bcp78">BCP 78</a> and the IETF Trust&#x27;s Legal Provisions Relating to IETF Documents (<a href="http://trustee.ietf.org/license-info">http://trustee.ietf.org/license-info</a>) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License. <span class="grey">Barth Standards Track [Page 1]</span></pre> <hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-2" ></span> <span class="grey"><a href="/doc/html/rfc6454">RFC 6454</a> The Web Origin Concept December 2011</span> Table of Contents <a href="#section-1">1</a>. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-3">3</a> <a href="#section-2">2</a>. Conventions . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-3">3</a> <a href="#section-2.1">2.1</a>. Conformance Criteria . . . . . . . . . . . . . . . . . . . <a href="#page-3">3</a> <a href="#section-2.2">2.2</a>. Syntax Notation . . . . . . . . . . . . . . . . . . . . . <a href="#page-4">4</a> <a href="#section-2.3">2.3</a>. Terminology . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-4">4</a> <a href="#section-3">3</a>. Principles of the Same-Origin Policy . . . . . . . . . . . . . <a href="#page-4">4</a> <a href="#section-3.1">3.1</a>. Trust . . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-5">5</a> <a href="#section-3.1.1">3.1.1</a>. Pitfalls . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-5">5</a> <a href="#section-3.2">3.2</a>. Origin . . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-6">6</a> <a href="#section-3.2.1">3.2.1</a>. Examples . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-7">7</a> <a href="#section-3.3">3.3</a>. Authority . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-7">7</a> <a href="#section-3.3.1">3.3.1</a>. Pitfalls . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-8">8</a> <a href="#section-3.4">3.4</a>. Policy . . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-8">8</a> <a href="#section-3.4.1">3.4.1</a>. Object Access . . . . . . . . . . . . . . . . . . . . <a href="#page-8">8</a> <a href="#section-3.4.2">3.4.2</a>. Network Access . . . . . . . . . . . . . . . . . . . . <a href="#page-9">9</a> <a href="#section-3.4.3">3.4.3</a>. Pitfalls . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-9">9</a> <a href="#section-3.5">3.5</a>. Conclusion . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-10">10</a> <a href="#section-4">4</a>. Origin of a URI . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-10">10</a> <a href="#section-5">5</a>. Comparing Origins . . . . . . . . . . . . . . . . . . . . . . <a href="#page-11">11</a> <a href="#section-6">6</a>. Serializing Origins . . . . . . . . . . . . . . . . . . . . . <a href="#page-11">11</a> <a href="#section-6.1">6.1</a>. Unicode Serialization of an Origin . . . . . . . . . . . . <a href="#page-12">12</a> <a href="#section-6.2">6.2</a>. ASCII Serialization of an Origin . . . . . . . . . . . . . <a href="#page-12">12</a> <a href="#section-7">7</a>. The HTTP Origin Header Field . . . . . . . . . . . . . . . . . <a href="#page-13">13</a> <a href="#section-7.1">7.1</a>. Syntax . . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-13">13</a> <a href="#section-7.2">7.2</a>. Semantics . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-13">13</a> <a href="#section-7.3">7.3</a>. User Agent Requirements . . . . . . . . . . . . . . . . . <a href="#page-14">14</a> <a href="#section-8">8</a>. Security Considerations . . . . . . . . . . . . . . . . . . . <a href="#page-14">14</a> <a href="#section-8.1">8.1</a>. Reliance on DNS . . . . . . . . . . . . . . . . . . . . . <a href="#page-15">15</a> <a href="#section-8.2">8.2</a>. Divergent Units of Isolation . . . . . . . . . . . . . . . <a href="#page-15">15</a> <a href="#section-8.3">8.3</a>. Ambient Authority . . . . . . . . . . . . . . . . . . . . <a href="#page-16">16</a> <a href="#section-8.4">8.4</a>. IDNA Dependency and Migration . . . . . . . . . . . . . . <a href="#page-16">16</a> <a href="#section-9">9</a>. IANA Considerations . . . . . . . . . . . . . . . . . . . . . <a href="#page-17">17</a> <a href="#section-10">10</a>. References . . . . . . . . . . . . . . . . . . . . . . . . . . <a href="#page-17">17</a> <a href="#section-10.1">10.1</a>. Normative References . . . . . . . . . . . . . . . . . . . <a href="#page-17">17</a> <a href="#section-10.2">10.2</a>. Informative References . . . . . . . . . . . . . . . . . . <a href="#page-18">18</a> <a href="#appendix-A">Appendix A</a>. Acknowledgements . . . . . . . . . . . . . . . . . . <a href="#page-20">20</a> <span class="grey">Barth Standards Track [Page 2]</span></pre> <hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-3" ></span> <span class="grey"><a href="/doc/html/rfc6454">RFC 6454</a> The Web Origin Concept December 2011</span> <span class="h2"><a class="selflink" id="section-1" href="#section-1">1</a>. Introduction</span> User agents interact with content created by a large number of authors. Although many of those authors are well-meaning, some authors might be malicious. To the extent that user agents undertake actions based on content they process, user agent implementors might wish to restrict the ability of malicious authors to disrupt the confidentiality or integrity of other content or servers. As an example, consider an HTTP user agent that renders HTML content retrieved from various servers. If the user agent executes scripts contained in those documents, the user agent implementor might wish to prevent scripts retrieved from a malicious server from reading documents stored on an honest server, which might, for example, be behind a firewall. Traditionally, user agents have divided content according to its &quot;origin&quot;. More specifically, user agents allow content retrieved from one origin to interact freely with other content retrieved from that origin, but user agents restrict how that content can interact with content from another origin. This document describes the principles behind the so-called same- origin policy as well as the &quot;nuts and bolts&quot; of comparing and serializing origins. This document does not describe all the facets of the same-origin policy, the details of which are left to other specifications, such as HTML [<a href="#ref-HTML" title="&quot;HTML5&quot;">HTML</a>] and WebSockets [<a href="/doc/html/rfc6455" title="&quot;The WebSocket Protocol&quot;">RFC6455</a>], because the details are often application-specific. <span class="h2"><a class="selflink" id="section-2" href="#section-2">2</a>. Conventions</span> <span class="h3"><a class="selflink" id="section-2.1" href="#section-2.1">2.1</a>. Conformance Criteria</span> The key words &quot;MUST&quot;, &quot;MUST NOT&quot;, &quot;REQUIRED&quot;, &quot;SHALL&quot;, &quot;SHALL NOT&quot;, &quot;SHOULD&quot;, &quot;SHOULD NOT&quot;, &quot;RECOMMENDED&quot;, &quot;MAY&quot;, and &quot;OPTIONAL&quot; in this document are to be interpreted as described in [<a href="/doc/html/rfc2119" title="&quot;Key words for use in RFCs to Indicate Requirement Levels&quot;">RFC2119</a>]. Requirements phrased in the imperative as part of algorithms (such as &quot;strip any leading space characters&quot; or &quot;return false and abort these steps&quot;) are to be interpreted with the meaning of the key word (&quot;MUST&quot;, &quot;SHOULD&quot;, &quot;MAY&quot;, etc.) used in introducing the algorithm. Conformance requirements phrased as algorithms or specific steps can be implemented in any manner, so long as the end result is equivalent. In particular, the algorithms defined in this specification are intended to be easy to understand and are not intended to be performant. <span class="grey">Barth Standards Track [Page 3]</span></pre> <hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-4" ></span> <span class="grey"><a href="/doc/html/rfc6454">RFC 6454</a> The Web Origin Concept December 2011</span> <span class="h3"><a class="selflink" id="section-2.2" href="#section-2.2">2.2</a>. Syntax Notation</span> This specification uses the Augmented Backus-Naur Form (ABNF) notation of [<a href="/doc/html/rfc5234" title="&quot;Augmented BNF for Syntax Specifications: ABNF&quot;">RFC5234</a>]. The following core rules are included by reference, as defined in <a href="/doc/html/rfc5234#appendix-B.1">[RFC5234], Appendix&nbsp;B.1</a>: ALPHA (letters), CR (carriage return), CRLF (CR LF), CTL (controls), DIGIT (decimal 0-9), DQUOTE (double quote), HEXDIG (hexadecimal 0-9/A-F/a-f), LF (line feed), OCTET (any 8-bit sequence of data), SP (space), HTAB (horizontal tab), CHAR (any US- ASCII character), VCHAR (any visible US-ASCII character), and WSP (whitespace). The OWS rule is used where zero or more linear whitespace octets might appear. OWS SHOULD either not be produced or be produced as a single SP. Multiple OWS octets that occur within field-content SHOULD either be replaced with a single SP or transformed to all SP octets (each octet other than SP replaced with SP) before interpreting the field value or forwarding the message downstream. OWS = *( SP / HTAB / obs-fold ) ; &quot;optional&quot; whitespace obs-fold = CRLF ( SP / HTAB ) ; obsolete line folding <span class="h3"><a class="selflink" id="section-2.3" href="#section-2.3">2.3</a>. Terminology</span> The terms &quot;user agent&quot;, &quot;client&quot;, &quot;server&quot;, &quot;proxy&quot;, and &quot;origin server&quot; have the same meaning as in the HTTP/1.1 specification (<a href="/doc/html/rfc2616#section-1.3">[RFC2616], Section&nbsp;1.3</a>). A globally unique identifier is a value that is different from all other previously existing values. For example, a sufficiently long random string is likely to be a globally unique identifier. If the origin value never leaves the user agent, a monotonically increasing counter local to the user agent can also serve as a globally unique identifier. <span class="h2"><a class="selflink" id="section-3" href="#section-3">3</a>. Principles of the Same-Origin Policy</span> Many user agents undertake actions on behalf of remote parties. For example, HTTP user agents follow redirects, which are instructions from remote servers, and HTML user agents expose rich Document Object Model (DOM) interfaces to scripts retrieved from remote servers. Without any security model, user agents might undertake actions detrimental to the user or to other parties. Over time, many web- related technologies have converged towards a common security model, <span class="grey">Barth Standards Track [Page 4]</span></pre> <hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-5" ></span> <span class="grey"><a href="/doc/html/rfc6454">RFC 6454</a> The Web Origin Concept December 2011</span> known colloquially as the &quot;same-origin policy&quot;. Although this security model evolved largely organically, the same-origin policy can be understood in terms of a handful of key concepts. This section presents those concepts and provides advice about how to use these concepts securely. <span class="h3"><a class="selflink" id="section-3.1" href="#section-3.1">3.1</a>. Trust</span> The same-origin policy specifies trust by URI. For example, HTML documents designate which script to run with a URI: &lt;script src=&quot;https://example.com/library.js&quot;&gt;&lt;/script&gt; When a user agent processes this element, the user agent will fetch the script at the designated URI and execute the script with the privileges of the document. In this way, the document grants all the privileges it has to the resource designated by the URI. In essence, the document declares that it trusts the integrity of information retrieved from that URI. In addition to importing libraries from URIs, user agents also send information to remote parties designated by URI. For example, consider the HTML form element: &lt;form method=&quot;POST&quot; action=&quot;https://example.com/login&quot;&gt; ... &lt;input type=&quot;password&quot;&gt; ... &lt;/form&gt; When the user enters his or her password and submits the form, the user agent sends the password to the network endpoint designated by the URI. In this way, the document exports its secret data to that URI, in essence declaring that it trusts the confidentiality of information sent to that URI. <span class="h4"><a class="selflink" id="section-3.1.1" href="#section-3.1.1">3.1.1</a>. Pitfalls</span> When designing new protocols that use the same-origin policy, make sure that important trust distinctions are visible in URIs. For example, if both Transport Layer Security (TLS) and non-TLS protected resources use the &quot;http&quot; URI scheme (as in [<a href="/doc/html/rfc2817" title="&quot;Upgrading to TLS Within HTTP/1.1&quot;">RFC2817</a>]), a document would be unable to specify that it wishes to retrieve a script only over TLS. By using the &quot;https&quot; URI scheme, documents are able to indicate that they wish to interact with resources that are protected from active network attackers. <span class="grey">Barth Standards Track [Page 5]</span></pre> <hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-6" ></span> <span class="grey"><a href="/doc/html/rfc6454">RFC 6454</a> The Web Origin Concept December 2011</span> <span class="h3"><a class="selflink" id="section-3.2" href="#section-3.2">3.2</a>. Origin</span> In principle, user agents could treat every URI as a separate protection domain and require explicit consent for content retrieved from one URI to interact with another URI. Unfortunately, this design is cumbersome for developers because web applications often consist of a number of resources acting in concert. Instead, user agents group URIs together into protection domains called &quot;origins&quot;. Roughly speaking, two URIs are part of the same origin (i.e., represent the same principal) if they have the same scheme, host, and port. (See <a href="#section-4">Section 4</a> for full details.) Q: Why not just use the host? A: Including the scheme in the origin tuple is essential for security. If user agents did not include the scheme, there would be no isolation between http://example.com and https://example.com because the two have the same host. However, without this isolation, an active network attacker could corrupt content retrieved from http://example.com and have that content instruct the user agent to compromise the confidentiality and integrity of content retrieved from https://example.com, bypassing the protections afforded by TLS [<a href="/doc/html/rfc5246" title="&quot;The Transport Layer Security (TLS) Protocol Version 1.2&quot;">RFC5246</a>]. Q: Why use the fully qualified host name instead of just the &quot;top- level&quot; domain? A: Although the DNS has hierarchical delegation, the trust relationships between host names vary by deployment. For example, at many educational institutions, students can host content at <a href="https://example.edu/~student/">https://example.edu/~student/</a>, but that does not mean a document authored by a student should be part of the same origin (i.e., inhabit the same protection domain) as a web application for managing grades hosted at <a href="https://grades.example.edu/">https://grades.example.edu/</a>. The example.edu deployment illustrates that grouping resources by origin does not always align perfectly with every deployment scenario. In this deployment, every student&#x27;s web site inhabits the same origin, which might not be desirable. In some sense, the origin granularity is a historical artifact of how the security model evolved. <span class="grey">Barth Standards Track [Page 6]</span></pre> <hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-7" ></span> <span class="grey"><a href="/doc/html/rfc6454">RFC 6454</a> The Web Origin Concept December 2011</span> <span class="h4"><a class="selflink" id="section-3.2.1" href="#section-3.2.1">3.2.1</a>. Examples</span> All of the following resources have the same origin: http://example.com/ <a href="http://example.com:80/">http://example.com:80/</a> http://example.com/path/file Each of the URIs has the same scheme, host, and port components. Each of the following resources has a different origin from the others. http://example.com/ <a href="http://example.com:8080/">http://example.com:8080/</a> http://www.example.com/ <a href="https://example.com:80/">https://example.com:80/</a> https://example.com/ http://example.org/ <a href="http://ietf.org/">http://ietf.org/</a> In each case, at least one of the scheme, host, and port component will differ from the others in the list. <span class="h3"><a class="selflink" id="section-3.3" href="#section-3.3">3.3</a>. Authority</span> Although user agents group URIs into origins, not every resource in an origin carries the same authority (in the security sense of the word &quot;authority&quot;, not in the [<a href="/doc/html/rfc3986" title="&quot;Uniform Resource Identifier (URI): Generic Syntax&quot;">RFC3986</a>] sense). For example, an image is passive content and, therefore, carries no authority, meaning the image has no access to the objects and resources available to its origin. By contrast, an HTML document carries the full authority of its origin, and scripts within (or imported into) the document can access every resource in its origin. User agents determine how much authority to grant a resource by examining its media type. For example, resources with a media type of image/png are treated as images, and resources with a media type of text/html are treated as HTML documents. When hosting untrusted content (such as user-generated content), web applications can limit that content&#x27;s authority by restricting its media type. For example, serving user-generated content as image/png is less risky than serving user-generated content as text/html. Of course, many web applications incorporate untrusted content in their HTML documents. If not done carefully, these applications risk leaking their origin&#x27;s authority to the untrusted content, a vulnerability commonly known as cross-site scripting. <span class="grey">Barth Standards Track [Page 7]</span></pre> <hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-8" ></span> <span class="grey"><a href="/doc/html/rfc6454">RFC 6454</a> The Web Origin Concept December 2011</span> <span class="h4"><a class="selflink" id="section-3.3.1" href="#section-3.3.1">3.3.1</a>. Pitfalls</span> When designing new pieces of the web platform, be careful not to grant authority to resources irrespective of media type. Many web applications serve untrusted content with restricted media types. A new web platform feature that grants authority to these pieces of content risks introducing vulnerabilities into existing applications. Instead, prefer to grant authority to media types that already possess the origin&#x27;s full authority or to new media types designed specifically to carry the new authority. In order to remain compatible with servers that supply incorrect media types, some user agents employ &quot;content sniffing&quot; and treat content as if it had a different media type than the media type supplied by the server. If not done carefully, content sniffing can lead to security vulnerabilities because user agents might grant low- authority media types, such as images, the privileges of high- authority media types, such as HTML documents [<a href="#ref-SNIFF" title="&quot;Media Type Sniffing&quot;">SNIFF</a>]. <span class="h3"><a class="selflink" id="section-3.4" href="#section-3.4">3.4</a>. Policy</span> Generally speaking, user agents isolate different origins and permit controlled communication between origins. The details of how user agents provide isolation and communication vary depending on several factors. <span class="h4"><a class="selflink" id="section-3.4.1" href="#section-3.4.1">3.4.1</a>. Object Access</span> Most objects (also known as application programming interfaces or APIs) exposed by the user agent are available only to the same origin. Specifically, content retrieved from one URI can access objects associated with content retrieved from another URI if, and only if, the two URIs belong to the same origin, e.g., have the same scheme, host, and port. There are some exceptions to this general rule. For example, some parts of HTML&#x27;s Location interface are available across origins (e.g., to allow for navigating other browsing contexts). As another example, HTML&#x27;s postMessage interface is visible across origins explicitly to facilitate cross-origin communication. Exposing objects to foreign origins is dangerous and should be done only with great care because doing so exposes these objects to potential attackers. <span class="grey">Barth Standards Track [Page 8]</span></pre> <hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-9" ></span> <span class="grey"><a href="/doc/html/rfc6454">RFC 6454</a> The Web Origin Concept December 2011</span> <span class="h4"><a class="selflink" id="section-3.4.2" href="#section-3.4.2">3.4.2</a>. Network Access</span> Access to network resources varies depending on whether the resources are in the same origin as the content attempting to access them. Generally, reading information from another origin is forbidden. However, an origin is permitted to use some kinds of resources retrieved from other origins. For example, an origin is permitted to execute script, render images, and apply style sheets from any origin. Likewise, an origin can display content from another origin, such as an HTML document in an HTML frame. Network resources can also opt into letting other origins read their information, for example, using Cross-Origin Resource Sharing [<a href="#ref-CORS" title="&quot;Cross-Origin Resource Sharing&quot;">CORS</a>]. In these cases, access is typically granted on a per-origin basis. Sending information to another origin is permitted. However, sending information over the network in arbitrary formats is dangerous. For this reason, user agents restrict documents to sending information using particular protocols, such as in an HTTP request without custom headers. Expanding the set of allowed protocols, for example, by adding support for WebSockets, must be done carefully to avoid introducing vulnerabilities [<a href="/doc/html/rfc6455" title="&quot;The WebSocket Protocol&quot;">RFC6455</a>]. <span class="h4"><a class="selflink" id="section-3.4.3" href="#section-3.4.3">3.4.3</a>. Pitfalls</span> Whenever user agents allow one origin to interact with resources from another origin, they invite security issues. For example, the ability to display images from another origin leaks their height and width. Similarly, the ability to send network requests to another origin gives rise to cross-site request forgery vulnerabilities [<a href="#ref-CSRF" title="&quot;Robust Defenses for Cross-Site Request Forgery&quot;">CSRF</a>]. However, user agent implementors often balance these risks against the benefits of allowing the cross-origin interaction. For example, an HTML user agent that blocked cross-origin network requests would prevent its users from following hyperlinks, a core feature of the web. When adding new functionality to the web platform, it can be tempting to grant a privilege to one resource but to withhold that privilege from another resource in the same origin. However, withholding privileges in this way is ineffective because the resource without the privilege can usually obtain the privilege anyway because user agents do not isolate resources within an origin. Instead, privileges should be granted or withheld from origins as a whole (rather than discriminating between individual resources within an origin) [<a href="#ref-BOFGO" title="&quot;Beware of Finer-Grained Origins&quot;">BOFGO</a>]. <span class="grey">Barth Standards Track [Page 9]</span></pre> <hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-10" ></span> <span class="grey"><a href="/doc/html/rfc6454">RFC 6454</a> The Web Origin Concept December 2011</span> <span class="h3"><a class="selflink" id="section-3.5" href="#section-3.5">3.5</a>. Conclusion</span> The same-origin policy uses URIs to designate trust relationships. URIs are grouped together into origins, which represent protection domains. Some resources in an origin (e.g., active content) are granted the origin&#x27;s full authority, whereas other resources in the origin (e.g., passive content) are not granted the origin&#x27;s authority. Content that carries its origin&#x27;s authority is granted access to objects and network resources within its own origin. This content is also granted limited access to objects and network resources of other origins, but these cross-origin privileges must be designed carefully to avoid security vulnerabilities. <span class="h2"><a class="selflink" id="section-4" href="#section-4">4</a>. Origin of a URI</span> The origin of a URI is the value computed by the following algorithm: 1. If the URI does not use a hierarchical element as a naming authority (see <a href="/doc/html/rfc3986#section-3.2">[RFC3986], Section&nbsp;3.2</a>) or if the URI is not an absolute URI, then generate a fresh globally unique identifier and return that value. NOTE: Running this algorithm multiple times for the same URI can produce different values each time. Typically, user agents compute the origin of, for example, an HTML document once and use that origin for subsequent security checks rather than recomputing the origin for each security check. 2. Let uri-scheme be the scheme component of the URI, converted to lowercase. 3. If the implementation doesn&#x27;t support the protocol given by uri- scheme, then generate a fresh globally unique identifier and return that value. 4. If uri-scheme is &quot;file&quot;, the implementation MAY return an implementation-defined value. NOTE: Historically, user agents have granted content from the file scheme a tremendous amount of privilege. However, granting all local files such wide privileges can lead to privilege escalation attacks. Some user agents have had success granting local files directory-based privileges, but this approach has not been widely adopted. Other user agents use globally unique identifiers for each file URI, which is the most secure option. <span class="grey">Barth Standards Track [Page 10]</span></pre> <hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-11" ></span> <span class="grey"><a href="/doc/html/rfc6454">RFC 6454</a> The Web Origin Concept December 2011</span> 5. Let uri-host be the host component of the URI, converted to lower case (using the i;ascii-casemap collation defined in [<a href="/doc/html/rfc4790" title="&quot;Internet Application Protocol Collation Registry&quot;">RFC4790</a>]). NOTE: This document assumes that the user agent performs Internationalizing Domain Names in Applications (IDNA) processing and validation when constructing the URI. In particular, this document assumes the uri-host will contain only LDH labels because the user agent will have already converted any non-ASCII labels to their corresponding A-labels (see [<a href="/doc/html/rfc5890" title="&quot;Internationalized Domain Names for Applications (IDNA): Definitions and Document Framework&quot;">RFC5890</a>]). For this reason, origin-based security policies are sensitive to the IDNA algorithm employed by the user agent. See <a href="#section-8.4">Section 8.4</a> for further discussion. 6. If there is no port component of the URI: 1. Let uri-port be the default port for the protocol given by uri-scheme. Otherwise: 2. Let uri-port be the port component of the URI. 7. Return the triple (uri-scheme, uri-host, uri-port). <span class="h2"><a class="selflink" id="section-5" href="#section-5">5</a>. Comparing Origins</span> Two origins are &quot;the same&quot; if, and only if, they are identical. In particular: o If the two origins are scheme/host/port triples, the two origins are the same if, and only if, they have identical schemes, hosts, and ports. o An origin that is a globally unique identifier cannot be the same as an origin that is a scheme/host/port triple. Two URIs are same-origin if their origins are the same. NOTE: A URI is not necessarily same-origin with itself. For example, a data URI [<a href="/doc/html/rfc2397" title="&quot;The &quot;">RFC2397</a>] is not same-origin with itself because data URIs do not use a server-based naming authority and therefore have globally unique identifiers as origins. <span class="h2"><a class="selflink" id="section-6" href="#section-6">6</a>. Serializing Origins</span> This section defines how to serialize an origin to a unicode [<a href="#ref-Unicode6" title="&quot;The Unicode Standard, Version 6.0.0&quot;">Unicode6</a>] string and to an ASCII [<a href="/doc/html/rfc20" title="&quot;ASCII format for network interchange&quot;">RFC20</a>] string. <span class="grey">Barth Standards Track [Page 11]</span></pre> <hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-12" ></span> <span class="grey"><a href="/doc/html/rfc6454">RFC 6454</a> The Web Origin Concept December 2011</span> <span class="h3"><a class="selflink" id="section-6.1" href="#section-6.1">6.1</a>. Unicode Serialization of an Origin</span> The unicode-serialization of an origin is the value returned by the following algorithm: 1. If the origin is not a scheme/host/port triple, then return the string null (i.e., the code point sequence U+006E, U+0075, U+006C, U+006C) and abort these steps. 2. Otherwise, let result be the scheme part of the origin triple. 3. Append the string &quot;://&quot; to result. 4. Append each component of the host part of the origin triple (converted as follows) to the result, separated by U+002E FULL STOP code points (&quot;.&quot;): 1. If the component is an A-label, use the corresponding U-label instead (see [<a href="/doc/html/rfc5890" title="&quot;Internationalized Domain Names for Applications (IDNA): Definitions and Document Framework&quot;">RFC5890</a>] and [<a href="/doc/html/rfc5891" title="&quot;Internationalized Domain Names in Applications (IDNA): Protocol&quot;">RFC5891</a>]). 2. Otherwise, use the component verbatim. 5. If the port part of the origin triple is different from the default port for the protocol given by the scheme part of the origin triple: 1. Append a U+003A COLON code point (&quot;:&quot;) and the given port, in base ten, to result. 6. Return result. <span class="h3"><a class="selflink" id="section-6.2" href="#section-6.2">6.2</a>. ASCII Serialization of an Origin</span> The ascii-serialization of an origin is the value returned by the following algorithm: 1. If the origin is not a scheme/host/port triple, then return the string null (i.e., the code point sequence U+006E, U+0075, U+006C, U+006C) and abort these steps. <span class="grey">Barth Standards Track [Page 12]</span></pre> <hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-13" ></span> <span class="grey"><a href="/doc/html/rfc6454">RFC 6454</a> The Web Origin Concept December 2011</span> 2. Otherwise, let result be the scheme part of the origin triple. 3. Append the string &quot;://&quot; to result. 4. Append the host part of the origin triple to result. 5. If the port part of the origin triple is different from the default port for the protocol given by the scheme part of the origin triple: 1. Append a U+003A COLON code point (&quot;:&quot;) and the given port, in base ten, to result. 6. Return result. <span class="h2"><a class="selflink" id="section-7" href="#section-7">7</a>. The HTTP Origin Header Field</span> This section defines the HTTP Origin header field. <span class="h3"><a class="selflink" id="section-7.1" href="#section-7.1">7.1</a>. Syntax</span> The Origin header field has the following syntax: origin = &quot;Origin:&quot; OWS origin-list-or-null OWS origin-list-or-null = %x6E %x75 %x6C %x6C / origin-list origin-list = serialized-origin *( SP serialized-origin ) serialized-origin = scheme &quot;://&quot; host [ &quot;:&quot; port ] ; &lt;scheme&gt;, &lt;host&gt;, &lt;port&gt; from <a href="/doc/html/rfc3986">RFC 3986</a> <span class="h3"><a class="selflink" id="section-7.2" href="#section-7.2">7.2</a>. Semantics</span> When included in an HTTP request, the Origin header field indicates the origin(s) that &quot;caused&quot; the user agent to issue the request, as defined by the API that triggered the user agent to issue the request. For example, consider a user agent that executes scripts on behalf of origins. If one of those scripts causes the user agent to issue an HTTP request, the user agent MAY use the Origin header field to inform the server of the security context in which the script was executing when it caused the user agent to issue the request. In some cases, a number of origins contribute to causing the user agents to issue an HTTP request. In those cases, the user agent MAY list all the origins in the Origin header field. For example, if the HTTP request was initially issued by one origin but then later <span class="grey">Barth Standards Track [Page 13]</span></pre> <hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-14" ></span> <span class="grey"><a href="/doc/html/rfc6454">RFC 6454</a> The Web Origin Concept December 2011</span> redirected by another origin, the user agent MAY inform the server that two origins were involved in causing the user agent to issue the request. <span class="h3"><a class="selflink" id="section-7.3" href="#section-7.3">7.3</a>. User Agent Requirements</span> The user agent MAY include an Origin header field in any HTTP request. The user agent MUST NOT include more than one Origin header field in any HTTP request. Whenever a user agent issues an HTTP request from a &quot;privacy- sensitive&quot; context, the user agent MUST send the value &quot;null&quot; in the Origin header field. NOTE: This document does not define the notion of a privacy- sensitive context. Applications that generate HTTP requests can designate contexts as privacy-sensitive to impose restrictions on how user agents generate Origin header fields. When generating an Origin header field, the user agent MUST meet the following requirements: o Each of the serialized-origin productions in the grammar MUST be the ascii-serialization of an origin. o No two consecutive serialized-origin productions in the grammar can be identical. In particular, if the user agent would generate two consecutive serialized-origins, the user agent MUST NOT generate the second one. <span class="h2"><a class="selflink" id="section-8" href="#section-8">8</a>. Security Considerations</span> The same-origin policy is one of the cornerstones of security for many user agents, including web browsers. Historically, some user agents tried other security models, including taint tracking and exfiltration prevention, but those models proved difficult to implement at the time (although there has been recent interest in reviving some of these ideas). Evaluating the security of the same-origin policy is difficult because the origin concept itself plays such a central role in the security landscape. The notional origin itself is just a unit of isolation, imperfect as are most one-size-fits-all notions. That said, there are some systemic weaknesses, discussed below. <span class="grey">Barth Standards Track [Page 14]</span></pre> <hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-15" ></span> <span class="grey"><a href="/doc/html/rfc6454">RFC 6454</a> The Web Origin Concept December 2011</span> <span class="h3"><a class="selflink" id="section-8.1" href="#section-8.1">8.1</a>. Reliance on DNS</span> In practice, the same-origin policy relies upon the Domain Name System (DNS) for security because many commonly used URI schemes, such as http, use DNS-based naming authorities. If the DNS is partially or fully compromised, the same-origin policy might fail to provide the security properties required by applications. Some URI schemes, such as https, are more resistant to DNS compromise because user agents employ other mechanisms, such as certificates, to verify the source of content retrieved from these URIs. Other URI schemes, such as the chrome-extension URI scheme (see Section 4.3 of [<a href="#ref-CRX" title="&quot;Protecting Browsers from Extension Vulnerabilities&quot;">CRX</a>]), use a public-key-based naming authority and are fully secure against DNS compromise. The web origin concept isolates content retrieved from different URI schemes; this is essential to containing the effects of DNS compromise. <span class="h3"><a class="selflink" id="section-8.2" href="#section-8.2">8.2</a>. Divergent Units of Isolation</span> Over time, a number of technologies have converged on the web origin concept as a convenient unit of isolation. However, many technologies in use today, such as cookies [<a href="/doc/html/rfc6265" title="&quot;HTTP State Management Mechanism&quot;">RFC6265</a>], pre-date the modern web origin concept. These technologies often have different isolation units, leading to vulnerabilities. One alternative is to use only the &quot;registry-controlled&quot; domain rather than the fully qualified domain name as the unit of isolation (e.g., &quot;example.com&quot; instead of &quot;www.example.com&quot;). This practice is problematic for a number of reasons and is NOT RECOMMENDED: 1. The notion of a &quot;registry-controlled&quot; domain is a function of human practice surrounding the DNS rather than a property of the DNS itself. For example, many municipalities in Japan run public registries quite deep in the DNS hierarchy. There are widely used &quot;public suffix lists&quot;, but these lists are difficult to keep up to date and vary between implementations. 2. This practice is incompatible with URI schemes that do not use a DNS-based naming authority. For example, if a given URI scheme uses public keys as naming authorities, the notion of a &quot;registry-controlled&quot; public key is somewhat incoherent. Worse, some URI schemes, such as nntp, use dotted delegation in the opposite direction from DNS (e.g., alt.usenet.kooks), and others use the DNS but present the labels in the reverse of the usual order (e.g., com.example.www). <span class="grey">Barth Standards Track [Page 15]</span></pre> <hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-16" ></span> <span class="grey"><a href="/doc/html/rfc6454">RFC 6454</a> The Web Origin Concept December 2011</span> At best, using &quot;registry-controlled&quot; domains is URI-scheme- and implementation-specific. At worst, differences between URI schemes and implementations can lead to vulnerabilities. <span class="h3"><a class="selflink" id="section-8.3" href="#section-8.3">8.3</a>. Ambient Authority</span> When using the same-origin policy, user agents grant authority to content based on its URI rather than based on which objects the content can designate. This disentangling of designation from authority is an example of ambient authority and can lead to vulnerabilities. Consider, for example, cross-site scripting in HTML documents. If an attacker can inject script content into an HTML document, those scripts will run with the authority of the document&#x27;s origin, perhaps allowing the script access to sensitive information, such as the user&#x27;s medical records. If, however, the script&#x27;s authority were limited to those objects that the script could designate, the attacker would not gain any advantage by injecting the script into an HTML document hosted by a third party. <span class="h3"><a class="selflink" id="section-8.4" href="#section-8.4">8.4</a>. IDNA Dependency and Migration</span> The security properties of the same-origin policy can depend crucially on details of the IDNA algorithm employed by the user agent. In particular, a user agent might map some international domain names (for example, those involving the U+00DF character) to different ASCII representations depending on whether the user agent uses IDNA2003 [<a href="/doc/html/rfc3490" title="&quot;Internationalizing Domain Names in Applications (IDNA)&quot;">RFC3490</a>] or IDNA2008 [<a href="/doc/html/rfc5890" title="&quot;Internationalized Domain Names for Applications (IDNA): Definitions and Document Framework&quot;">RFC5890</a>]. Migrating from one IDNA algorithm to another might redraw a number of security boundaries, potentially erecting new security boundaries or, worse, tearing down security boundaries between two mutually distrusting entities. Changing security boundaries is risky because combining two mutually distrusting entities into the same origin might allow one to attack the other. <span class="grey">Barth Standards Track [Page 16]</span></pre> <hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-17" ></span> <span class="grey"><a href="/doc/html/rfc6454">RFC 6454</a> The Web Origin Concept December 2011</span> <span class="h2"><a class="selflink" id="section-9" href="#section-9">9</a>. IANA Considerations</span> The permanent message header field registry (see [<a href="/doc/html/rfc3864" title="&quot;Registration Procedures for Message Header Fields&quot;">RFC3864</a>]) has been updated with the following registration: Header field name: Origin Applicable protocol: http Status: standard Author/Change controller: IETF Specification document: this specification (<a href="#section-7">Section 7</a>) <span class="h2"><a class="selflink" id="section-10" href="#section-10">10</a>. References</span> <span class="h3"><a class="selflink" id="section-10.1" href="#section-10.1">10.1</a>. Normative References</span> [<a id="ref-RFC20">RFC20</a>] Cerf, V., &quot;ASCII format for network interchange&quot;, <a href="/doc/html/rfc20">RFC 20</a>, October 1969. [<a id="ref-RFC2119">RFC2119</a>] Bradner, S., &quot;Key words for use in RFCs to Indicate Requirement Levels&quot;, <a href="/doc/html/bcp14">BCP 14</a>, <a href="/doc/html/rfc2119">RFC 2119</a>, March 1997. [<a id="ref-RFC2616">RFC2616</a>] Fielding, R., Gettys, J., Mogul, J., Frystyk, H., Masinter, L., Leach, P., and T. Berners-Lee, &quot;Hypertext Transfer Protocol -- HTTP/1.1&quot;, <a href="/doc/html/rfc2616">RFC 2616</a>, June 1999. [<a id="ref-RFC3864">RFC3864</a>] Klyne, G., Nottingham, M., and J. Mogul, &quot;Registration Procedures for Message Header Fields&quot;, <a href="/doc/html/bcp90">BCP 90</a>, <a href="/doc/html/rfc3864">RFC 3864</a>, September 2004. [<a id="ref-RFC3986">RFC3986</a>] Berners-Lee, T., Fielding, R., and L. Masinter, &quot;Uniform Resource Identifier (URI): Generic Syntax&quot;, STD 66, <a href="/doc/html/rfc3986">RFC 3986</a>, January 2005. [<a id="ref-RFC4790">RFC4790</a>] Newman, C., Duerst, M., and A. Gulbrandsen, &quot;Internet Application Protocol Collation Registry&quot;, <a href="/doc/html/rfc4790">RFC 4790</a>, March 2007. [<a id="ref-RFC5234">RFC5234</a>] Crocker, D., Ed. and P. Overell, &quot;Augmented BNF for Syntax Specifications: ABNF&quot;, STD 68, <a href="/doc/html/rfc5234">RFC 5234</a>, January 2008. [<a id="ref-RFC5890">RFC5890</a>] Klensin, J., &quot;Internationalized Domain Names for Applications (IDNA): Definitions and Document Framework&quot;, <a href="/doc/html/rfc5890">RFC 5890</a>, August 2010. <span class="grey">Barth Standards Track [Page 17]</span></pre> <hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-18" ></span> <span class="grey"><a href="/doc/html/rfc6454">RFC 6454</a> The Web Origin Concept December 2011</span> [<a id="ref-RFC5891">RFC5891</a>] Klensin, J., &quot;Internationalized Domain Names in Applications (IDNA): Protocol&quot;, <a href="/doc/html/rfc5891">RFC 5891</a>, August 2010. [<a id="ref-Unicode6">Unicode6</a>] The Unicode Consortium, &quot;The Unicode Standard, Version 6.0.0&quot;, 2011, &lt;<a href="http://www.unicode.org/versions/Unicode6.0.0/">http://www.unicode.org/versions/Unicode6.0.0/</a>&gt;. <span class="h3"><a class="selflink" id="section-10.2" href="#section-10.2">10.2</a>. Informative References</span> [<a id="ref-BOFGO">BOFGO</a>] Jackson, C. and A. Barth, &quot;Beware of Finer-Grained Origins&quot;, 2008, &lt;<a href="http://w2spconf.com/2008/papers/s2p1.pdf">http://w2spconf.com/2008/papers/s2p1.pdf</a>&gt;. [<a id="ref-CORS">CORS</a>] van Kesteren, A., &quot;Cross-Origin Resource Sharing&quot;, W3C Working Draft WD-cors-20100727, July 2010, &lt;<a href="http://www.w3.org/TR/2010/WD-cors-20100727/">http://www.w3.org/TR/2010/WD-cors-20100727/</a>&gt;. Latest version available at &lt;<a href="http://www.w3.org/TR/cors/">http://www.w3.org/TR/cors/</a>&gt;. [<a id="ref-CRX">CRX</a>] Barth, A., Felt, A., Saxena, P., and A. Boodman, &quot;Protecting Browsers from Extension Vulnerabilities&quot;, 2010, &lt;<a href="http://www.isoc.org/isoc/conferences/ndss/10/pdf/04.pdf">http://www.isoc.org/isoc/conferences/ndss/10/pdf/</a> <a href="http://www.isoc.org/isoc/conferences/ndss/10/pdf/04.pdf">04.pdf</a>&gt;. [<a id="ref-CSRF">CSRF</a>] Barth, A., Jackson, C., and J. Mitchell, &quot;Robust Defenses for Cross-Site Request Forgery&quot;, 2008, &lt;<a href="http://portal.acm.org/citation.cfm?id=1455770.1455782">http://portal.acm.org/citation.cfm?id=1455770.1455782</a>&gt;. [<a id="ref-HTML">HTML</a>] Hickson, I., &quot;HTML5&quot;, W3C Working Draft WD-html5- 20110525, May 2011, &lt;<a href="http://www.w3.org/TR/2011/WD-html5-20110525/">http://www.w3.org/TR/2011/WD-html5-20110525/</a>&gt;. Latest version available at &lt;<a href="http://www.w3.org/TR/html5/">http://www.w3.org/TR/html5/</a>&gt;. [<a id="ref-RFC2397">RFC2397</a>] Masinter, L., &quot;The &quot;data&quot; URL scheme&quot;, <a href="/doc/html/rfc2397">RFC 2397</a>, August 1998. [<a id="ref-RFC2817">RFC2817</a>] Khare, R. and S. Lawrence, &quot;Upgrading to TLS Within HTTP/1.1&quot;, <a href="/doc/html/rfc2817">RFC 2817</a>, May 2000. [<a id="ref-RFC3490">RFC3490</a>] Faltstrom, P., Hoffman, P., and A. Costello, &quot;Internationalizing Domain Names in Applications (IDNA)&quot;, <a href="/doc/html/rfc3490">RFC 3490</a>, March 2003. [<a id="ref-RFC5246">RFC5246</a>] Dierks, T. and E. Rescorla, &quot;The Transport Layer Security (TLS) Protocol Version 1.2&quot;, <a href="/doc/html/rfc5246">RFC 5246</a>, August 2008. <span class="grey">Barth Standards Track [Page 18]</span></pre> <hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-19" ></span> <span class="grey"><a href="/doc/html/rfc6454">RFC 6454</a> The Web Origin Concept December 2011</span> [<a id="ref-RFC6265">RFC6265</a>] Barth, A., &quot;HTTP State Management Mechanism&quot;, <a href="/doc/html/rfc6265">RFC 6265</a>, April 2011. [<a id="ref-RFC6455">RFC6455</a>] Fette, I. and A. Melnikov, &quot;The WebSocket Protocol&quot;, <a href="/doc/html/rfc6455">RFC 6455</a>, December 2011. [<a id="ref-SNIFF">SNIFF</a>] Barth, A. and I. Hickson, &quot;Media Type Sniffing&quot;, Work in Progress, May 2011. <span class="grey">Barth Standards Track [Page 19]</span></pre> <hr class='noprint'/><!--NewPage--><pre class='newpage'><span id="page-20" ></span> <span class="grey"><a href="/doc/html/rfc6454">RFC 6454</a> The Web Origin Concept December 2011</span> <span class="h2"><a class="selflink" id="appendix-A" href="#appendix-A">Appendix A</a>. Acknowledgements</span> We would like to thank Lucas Adamski, Stephen Farrell, Miguel A. Garcia, Tobias Gondrom, Ian Hickson, Anne van Kesteren, Jeff Hodges, Collin Jackson, Larry Masinter, Alexey Melnikov, Mark Nottingham, Julian Reschke, Peter Saint-Andre, Jonas Sicking, Sid Stamm, Daniel Veditz, and Chris Weber for their valuable feedback on this document. Author&#x27;s Address Adam Barth Google, Inc. EMail: ietf@adambarth.com URI: <a href="http://www.adambarth.com/">http://www.adambarth.com/</a> Barth Standards Track [Page 20] </pre></div> </div> </div> <div class="d-print-none col-md-3 bg-light-subtle collapse show" id="sidebar"> <div class="position-fixed border-start sidebar overflow-scroll overscroll-none no-scrollbar"> <div class="d-flex flex-column vh-100 pt-2 pt-lg-3 ps-3 pl-md-2 pl-lg-3"> <div> <a class="btn btn-primary btn-sm" href="/doc/rfc6454/">Datatracker</a> <p class="fw-bold pt-2"> RFC 6454 <br> <span class="text-success">RFC - Proposed Standard </span> </p> </div> <ul class="nav nav-tabs nav-fill small me-2" role="tablist"> <li class="nav-item" role="presentation" title="Document information"> <button class="nav-link px-2" id="docinfo-tab" data-bs-toggle="tab" data-bs-target="#docinfo-tab-pane" type="button" role="tab" aria-controls="docinfo-tab-pane" aria-selected="true"> <i class="bi bi-info-circle"></i><span class="d-none d-md-block d-xl-inline ms-xl-1">Info</span> </button> </li> <li class="nav-item" role="presentation" title="Table of contents"> <button class="nav-link px-2" id="toc-tab" data-bs-toggle="tab" data-bs-target="#toc-tab-pane" type="button" role="tab" aria-controls="toc-tab-pane" aria-selected="false"> <i class="bi bi-list-ol"></i><span class="d-none d-md-block d-xl-inline ms-xl-1">Contents</span> </button> </li> <li class="nav-item" role="presentation" title="Preferences"> <button class="nav-link px-2" id="pref-tab" data-bs-toggle="tab" data-bs-target="#pref-tab-pane" type="button" role="tab" aria-controls="pref-tab-pane" aria-selected="false"> <i class="bi bi-gear"></i><span class="d-none d-md-block d-xl-inline ms-xl-1">Prefs</span> </button> </li> </ul> <div class="overflow-auto tab-content pt-2 me-2"> <div class="tab-pane" id="docinfo-tab-pane" role="tabpanel" aria-labelledby="docinfo-tab" tabindex="0"> <table class="table table-sm table-borderless"> <tbody class="meta align-top "> <tr> <th scope="row">Document</th> <th scope="row">Document type</th> <td class="edit"></td> <td> <span class="text-success">RFC - Proposed Standard </span> <br>December 2011 <br> <a class="btn btn-sm btn-warning" title="Click to report an error in the document." href="https://www.rfc-editor.org/errata.php#reportnew" target="_blank"> Report errata </a> <div> Was <a href="/doc/draft-ietf-websec-origin/06/">draft-ietf-websec-origin</a> (<a href="/wg/websec/about/">websec WG</a>) </div> </td> </tr> <tr> <td></td> <th scope="row">Select version</th> <td class="edit"></td> <td> <ul class="revision-list pagination pagination-sm text-center flex-wrap my-0"> <li class="page-item"> <a class="page-link" href="/doc/html/draft-ietf-websec-origin-06" rel="nofollow"> 06 </a> </li> <li class="page-item rfc active"> <a class="page-link" href="/doc/html/rfc6454"> RFC 6454 </a> </li> </ul> </td> </tr> <tr> <td></td> <th scope="row">Compare versions</th> <td class="edit"></td> <td> <form class="form-horizontal diff-form" action="https://author-tools.ietf.org/iddiff" method="get" target="_blank"> <select class="form-select form-select-sm mb-1 select2-field" data-max-entries="1" data-width="resolve" data-allow-clear="false" data-minimum-input-length="0" aria-label="From revision" name="url1"> <option value="rfc6454"> RFC 6454 </option> <option value="draft-ietf-websec-origin-06" selected> draft-ietf-websec-origin-06 </option> <option value="draft-ietf-websec-origin-05"> draft-ietf-websec-origin-05 </option> <option value="draft-ietf-websec-origin-04"> draft-ietf-websec-origin-04 </option> <option value="draft-ietf-websec-origin-03"> draft-ietf-websec-origin-03 </option> <option value="draft-ietf-websec-origin-02"> draft-ietf-websec-origin-02 </option> <option value="draft-ietf-websec-origin-01"> draft-ietf-websec-origin-01 </option> <option value="draft-ietf-websec-origin-00"> draft-ietf-websec-origin-00 </option> </select> <select class="form-select form-select-sm mb-1 select2-field" data-max-entries="1" data-width="resolve" data-allow-clear="false" data-minimum-input-length="0" aria-label="To revision" name="url2"> <option value="rfc6454" selected> RFC 6454 </option> <option value="draft-ietf-websec-origin-06"> draft-ietf-websec-origin-06 </option> <option value="draft-ietf-websec-origin-05"> draft-ietf-websec-origin-05 </option> <option value="draft-ietf-websec-origin-04"> draft-ietf-websec-origin-04 </option> <option value="draft-ietf-websec-origin-03"> draft-ietf-websec-origin-03 </option> <option value="draft-ietf-websec-origin-02"> draft-ietf-websec-origin-02 </option> <option value="draft-ietf-websec-origin-01"> draft-ietf-websec-origin-01 </option> <option value="draft-ietf-websec-origin-00"> draft-ietf-websec-origin-00 </option> </select> <button type="submit" class="btn btn-primary btn-sm" value="--html" name="difftype"> Side-by-side </button> <button type="submit" class="btn btn-primary btn-sm" value="--hwdiff" name="difftype"> Inline </button> </form> </td> </tr> <tr> <td></td> <th scope="row">Author</th> <td class="edit"> </td> <td> <span ><a title="Datatracker profile of Adam Barth" href="/person/abarth@eecs.berkeley.edu" >Adam Barth</a> <a href="mailto:abarth%40eecs.berkeley.edu" aria-label="Compose email to abarth@eecs.berkeley.edu" title="Compose email to abarth@eecs.berkeley.edu"> <i class="bi bi-envelope"></i></a></span> <br> <a class="btn btn-primary btn-sm mt-1" href="mailto:rfc6454@ietf.org?subject=rfc6454" title="Send email to the document authors">Email authors</a> </td> </tr> <tr> <td></td> <th scope="row"> RFC stream </th> <td class="edit"> </td> <td > <img alt="IETF Logo" class="d-lm-none w-25 mt-1" src="https://static.ietf.org/dt/12.28.2/ietf/images/ietf-logo-nor-white.svg" > <img alt="IETF Logo" class="d-dm-none w-25 mt-1" src="https://static.ietf.org/dt/12.28.2/ietf/images/ietf-logo-nor.svg" > </td> </tr> <tr> <td></td> <th scope="row"> Other formats </th> <td class="edit"> </td> <td> <div class="buttonlist"> <a class="btn btn-primary btn-sm" target="_blank" href="https://www.rfc-editor.org/rfc/rfc6454.txt"> <i class="bi bi-file-text"></i> txt </a> <a class="btn btn-primary btn-sm" target="_blank" href="https://www.rfc-editor.org/rfc/rfc6454.html"> <i class="bi bi-file-code"></i> html </a> <a class="btn btn-primary btn-sm" download="rfc6454.pdf" target="_blank" href="https://www.rfc-editor.org/rfc/pdfrfc/rfc6454.txt.pdf"> <i class="bi bi-file-pdf"></i> pdf </a> <a class="btn btn-primary btn-sm" target="_blank" href="/doc/rfc6454/bibtex/"> <i class="bi bi-file-ruled"></i> bibtex </a> </div> </td> </tr> <tr> <td> </td> <th scope="row"> Additional resources </th> <td class="edit"> </td> <td> <a href="https://mailarchive.ietf.org/arch/browse/websec?q=rfc6454 OR %22draft-ietf-websec-origin%22"> Mailing list discussion </a> </td> </tr> </tbody> </table> <a class="btn btn-sm btn-warning mb-3" target="_blank" href="https://github.com/ietf-tools/datatracker/issues/new/choose"> Report a datatracker bug <i class="bi bi-bug"></i> </a> </div> <div class="tab-pane mb-5" id="toc-tab-pane" role="tabpanel" aria-labelledby="toc-tab" tabindex="0"> <nav class="nav nav-pills flex-column small" id="toc-nav"> </nav> </div> <div class="tab-pane mb-5 small" id="pref-tab-pane" role="tabpanel" aria-labelledby="pref-tab" tabindex="0"> <label class="form-label fw-bold mb-2">Show sidebar by default</label> <div class="btn-group-vertical btn-group-sm d-flex" role="group"> <input type="radio" class="btn-check" name="sidebar" id="on-radio"> <label class="btn btn-outline-primary" for="on-radio">Yes</label> <input type="radio" class="btn-check" name="sidebar" id="off-radio"> <label class="btn btn-outline-primary" for="off-radio">No</label> </div> <label class="form-label fw-bold mt-4 mb-2">Tab to show by default</label> <div class="btn-group-vertical btn-group-sm d-flex" role="group"> <input type="radio" class="btn-check" name="deftab" id="docinfo-radio"> <label class="btn btn-outline-primary" for="docinfo-radio"> <i class="bi bi-info-circle me-1"></i>Info </label> <input type="radio" class="btn-check" name="deftab" id="toc-radio"> <label class="btn btn-outline-primary" for="toc-radio"> <i class="bi bi-list-ol me-1"></i>Contents </label> </div> <label class="form-label fw-bold mt-4 mb-2">HTMLization configuration</label> <div class="btn-group-vertical btn-group-sm d-flex" role="group"> <input type="radio" class="btn-check" name="htmlconf" id="txt-radio"> <label class="btn btn-outline-primary" for="txt-radio" title="This is the traditional HTMLization method."> <i class="bi bi-badge-sd me-1"></i>HTMLize the plaintext </label> <input type="radio" class="btn-check" name="htmlconf" id="html-radio"> <label class="btn btn-outline-primary" for="html-radio" title="This is the modern HTMLization method."> <i class="bi bi-badge-hd me-1"></i>Plaintextify the HTML </label> </div> <label class="form-label fw-bold mt-4 mb-2" for="ptsize">Maximum font size</label> <input type="range" class="form-range" min="7" max="16" id="ptsize" oninput="ptdemo.value = ptsize.value"> <label class="form-label fw-bold mt-4 mb-2">Page dependencies</label> <div class="btn-group-vertical btn-group-sm d-flex" role="group"> <input type="radio" class="btn-check" name="pagedeps" id="inline-radio"> <label class="btn btn-outline-primary" for="inline-radio" title="Generate larger, standalone web pages that do not require network access to render."> <i class="bi bi-box me-1"></i>Inline </label> <input type="radio" class="btn-check" name="pagedeps" id="reference-radio"> <label class="btn btn-outline-primary" for="reference-radio" title="Generate regular web pages that require network access to render."> <i class="bi bi-link-45deg me-1"></i>Reference </label> </div> <label class="form-label fw-bold mt-4 mb-2">Citation links</label> <div class="btn-group-vertical btn-group-sm d-flex" role="group"> <input type="radio" class="btn-check" name="reflinks" id="refsection-radio"> <label class="btn btn-outline-primary" for="refsection-radio" title="Citation links go to the reference section."> <i class="bi bi-arrow-clockwise"></i> Go to reference section </label> <input type="radio" class="btn-check" name="reflinks" id="citation-radio"> <label class="btn btn-outline-primary" for="citation-radio" title="Citation links go directly to the cited document."> <i class="bi bi-link-45deg me-1"></i>Go to linked document </label> </div> </div> </div> </div> </div> </div> </div> <script type="text/javascript"> var _paq = window._paq || []; _paq.push(['disableCookies']); _paq.push(['trackPageView']); _paq.push(['enableLinkTracking']); (function() { var u="//analytics.ietf.org/"; _paq.push(['setTrackerUrl', u+'matomo.php']); _paq.push(['setSiteId', 7]); var d=document, g=d.createElement('script'), s=d.getElementsByTagName('script')[0]; g.type='text/javascript'; g.async=true; g.defer=true; g.src=u+'matomo.js'; s.parentNode.insertBefore(g,s); })(); </script> <noscript><p><img src="//analytics.ietf.org/piwik.php?idsite=7" style="border:0;" alt="" /></p></noscript> <script>(function(){function c(){var b=a.contentDocument||a.contentWindow.document;if(b){var d=b.createElement('script');d.innerHTML="window.__CF$cv$params={r:'8e929968296e8362',t:'MTczMjcxNTU1Mi4wMDAwMDA='};var a=document.createElement('script');a.nonce='';a.src='/cdn-cgi/challenge-platform/scripts/jsd/main.js';document.getElementsByTagName('head')[0].appendChild(a);";b.getElementsByTagName('head')[0].appendChild(d)}}if(document.body){var a=document.createElement('iframe');a.height=1;a.width=1;a.style.position='absolute';a.style.top=0;a.style.left=0;a.style.border='none';a.style.visibility='hidden';document.body.appendChild(a);if('loading'!==document.readyState)c();else if(window.addEventListener)document.addEventListener('DOMContentLoaded',c);else{var e=document.onreadystatechange||function(){};document.onreadystatechange=function(b){e(b);'loading'!==document.readyState&&(document.onreadystatechange=e,c())}}}})();</script></body> </html>

Pages: 1 2 3 4 5 6 7 8 9 10