This document defines the concept of an "origin", which is often
used as the scope of authority or privilege by user agents. Typically,
user agents isolate content retrieved from different origins to
prevent malicious web site operators from interfering with the
operation of benign web sites. In addition to outlining the
principles that underlie the concept of origin, this document defines
how to determine the origin of a URI, how to serialize an origin into
a string, and an HTTP header, named "Origin", that indicates which
origins are associated with an HTTP request.
Working Group Summary
There was nothing particularly worth noting about the WG process.
Specifically there was no strong controversy about this document.
The document received sufficient review from WG participants and
individuals outside the WG. Furthermore, reviews also covered
document versions before their adoption by the WG or even prior to
the formation of the WebSec WG (i.e., draft-abarth-origin and
The origin concept is widely used in the web browser and application
environment to determine trusted sources. Still it may be noteworthy
that some current implementations of the origin concept may differ
in whether all three elements of the origin-tuple must be identical
to constitute identity of origin (in some current browser
implementations the scheme or port might receive less weight).
The text regarding comparison of internationalized domain names
benefited from extensive discussion with Patrik Faltstrom, Jeff Hodges,
John Klensin, and Pete Resnick.