HTTP same-site VS same-origin Header
Saieed Ahmadi
Network and Network Security Engineer @ SITS-Co | IP Networks | CISCO | F5 | FORTINET | JUNIPER | Design and secure computer networks with Firewalls and ADCs (Application Delivery Controllers) | IT Specialist
HTTP same-site VS same-origin Header
Http “same-site" and "same-origin" are often misunderstood terms. So in this article, I want to talk about it.
"Origin" is a combination of a?scheme?(also known as the?protocol, for example,?HTTP?or?HTTPS), hostname, and?port?(if specified). For example, given a URL of?https://www.example.com:443/foo, the "origin" is?https://www.example.com:443.
"same-origin" and "cross-origin"
Websites that have the combination of the same scheme, hostname, and port are considered "same-origin". Everything else is considered "cross-origin".
In the example above, "site" is the combination of the TLD and the part of the domain just before it. For example, given a URL of?https://www.example.com:443/foo, the "site" is?example.com.
The whole site name is known as the eTLD+1. For example, given a URL of?https://my-project.github.io, the eTLD is?.github.io?and the eTLD+1 is?my-project.github.io, which is considered a "site". In other words, the eTLD+1 is the effective TLD and the part of the domain just before it.
The definition of "same-site" is evolving to consider the URL scheme as part of the site. In this case,?https://www.example.com?and?https://www.example.com?are considered cross-site because the schemes don't match.
?
How to check if a request is "same-site", "same-origin", or "cross-site"
Chrome sends requests along with a?Sec-Fetch-Site?HTTP header.
The header will have one of the following values:
By examining the value of?Sec-Fetch-Site, you can determine if the request is "same-site", "same-origin", or "cross-site". ("schemeful-same-site" is not captured in?Sec-Fetch-Site).
?
Reference: https://web.dev/same-site-same-origin/
?