Origins
What’s an origin? It’s the combination of a protocol, hostname, and port number - so basically a Uniform Resource Indicator (URI). Official definition by Mozilla:
Same-Origin policy
The same-origin policy is a security mitigation for browsers that dictates
how browsers loads and interacts with resources from a different origin. If I
visit a site, for example http://localhost and a script in that site attempts
to fetch another script from http://badwebsite.com, without Cross-Origin
Resource Sharing (CORS) details specified, the JavaScript hosted on
http://localhost will fail to access the fetched content from
http://badwebsite.com. The browser still creates the request, it’s just that
the JavaScript creating the request is not allowed to access the content.
The same-origin policy controls interactions in three different categories:
- Writes - typically allowed, usually links, redirection, and form submissions.
- Embedding - typically allowed, can use
<img>tags, etc. to load content from a different origin. - Reads - typically disallowed, but read access is often circumvented using embedding.
More on this mitigation from Mozilla:
Cross-Origin resource sharing
This mechanism allows HTTP servers to respond to clients (browsers) specifying what origins , other than its own, the browser should permit loading resources. This directive to clients is provided in the HTTP headers of the initial page request. Upon receipt, browsers will submit a “preflight” request to the server(s) hosting the cross-origin resource, checking if the other server(s) will permit the request.
Some requests don’t trigger a “preflight” request to the target server for CORS, these are known as simple requests.
Mozilla expands on this mitigation greatly here: