What an origin is
The same origin policy is the browser's core isolation rule. An origin is the triple of scheme, host, and port. Two pages share an origin only when all three match exactly. By default a page may read responses, scripts, and storage only from its own origin.
- Scheme such as https or http must match.
- Host including subdomains must match exactly.
- Port must match, where defaults are implied per scheme.
Why it matters
Without this rule, a malicious page could read your bank account data through requests that carry your cookies. The policy lets the browser send some cross origin requests but blocks the attacker from reading the response. It also walls off cookies, local storage, and the document object model between origins.
- Reading another origin's response is blocked unless allowed.
- Sending a form post across origins is still permitted.
- Storage and scripting access stay scoped to one origin.
Many security features such as cookies, fetch rules, and framing all build on top of this single idea.
Key idea
The same origin policy isolates pages by scheme, host, and port so one origin cannot read another origin's private data.