In web security, an origin is defined by the combination of three components: the scheme (protocol), the hostname, and the port number. Two URLs share the same origin only if all three components match exactly. The concept of origin is the foundation of the same-origin policy, which is the primary security boundary enforced by web browsers.
How It Works
The same-origin policy restricts how scripts loaded from one origin can interact with resources from another origin. A script running on https://example.com:443 can freely read and manipulate content from https://example.com:443/page because they share the same origin. However, that same script cannot read responses from https://api.example.com (different hostname), http://example.com (different scheme), or https://example.com:8080 (different port).
This policy prevents malicious websites from reading data from authenticated sessions on other sites. Without it, any website could make requests to your bank's API using your cookies and read the responses, effectively stealing your financial data. The same-origin policy ensures that while a malicious page can send requests to your bank (which is why CSRF exists), it cannot read the responses.
Cross-Origin Resource Sharing (CORS) provides a controlled mechanism for relaxing the same-origin policy. When a server includes appropriate CORS headers in its response — specifying which origins are allowed to read the response — the browser permits cross-origin access. Misconfigured CORS policies that reflect arbitrary origins or allow credentials from untrusted origins effectively disable the same-origin policy's protection.
The Origin header is sent by browsers with cross-origin requests and cannot be spoofed by JavaScript. Servers use this header to make access control decisions and to implement CORS policies. It differs from the Referer header in that it only includes the scheme, host, and port — never the path — and is specifically designed for security decisions.
Why It Matters
The origin model is the cornerstone of web browser security. Every cross-origin attack — from XSS to CSRF to data theft — relates to how origins are enforced, bypassed, or misconfigured. Understanding origins is prerequisite knowledge for anyone working with web application security.
Need your application tested? Get in touch.