What is the "same origin model"?

· Bits and Bobs 4/22/24

I talk about it here just about every week, but if you haven't ever worked in building a browser you might not know what it means.

The same origin model is the fundamental laws of physics behind the web.

It has the following basic characteristics:

1) Data is segregated by origin.

An "origin" in the web is essentially a domain.

In the app model it's an app.

2) Each origin starts with no data.

This is what makes visiting a new origin safe: it has no information on you.

A user can choose to import data into an origin.

This might be "the actions you take within the origin's view" (e.g. text you type in it, or things you click on)

Or it might be things like "files you upload"

3) Data may flow freely within an origin.

There are no internal "border crossings" or permission prompts.

4) An origin can choose to export data out to another origin.

But by default origins can't see any other origin's data.

That is, origins have distinct, strong boundaries between them.

The same origin model is a simple, clear model that is easy to administer.

The problem is the downstream implications of this model.

More on this topic

From other episodes