Firefox Origin

Download Windscribe - Free VPN and Ad Blocker for Firefox. Windscribe helps you circumvent censorship, block ads, beacons and trackers on websites you use every day. One of the original ad blockers for Mac and one of the most popular tools for blocking ads, uBlock can be found for Chrome, Firefox, Safari and for your Mac computer. We stay up-to-date with the latest online advertising ad formats and techniques to ensure that we continue to block ads and stay a step ahead of sites that use trackers and adware to follow your around online.

  1. The same-origin policy is a critical security mechanism that restricts how a document or script loaded from one origin can interact with a resource from another origin. It helps isolate potentially malicious documents, reducing possible attack vectors.
  2. IMPORTANT: uBlock Origin is completely unrelated to the site 'ublock.org'. UBlock Origin is not an 'ad blocker', it's a wide-spectrum content blocker with CPU and memory efficiency as a primary feature.
  3. Origin Telemetry¶. Origin Telemetry is an experimental Firefox Telemetry mechanism that allows us to privately report origin-specific information in aggregate. In short, it allows us to get exact counts of how many Firefox clients do certain things on specific origins without us being able to know which clients were doing which things on which origins.

The same-origin policy is a critical security mechanism that restricts how a document or script loaded from one origin can interact with a resource from another origin. It helps isolate potentially malicious documents, reducing possible attack vectors.

Definition of an origin

Two URLs have the same origin if the protocol, port (if specified), and host are the same for both. You may see this referenced as the 'scheme/host/port tuple', or just 'tuple'. (A 'tuple' is a set of items that together comprise a whole — a generic form for double/triple/quadruple/quintuple/etc.)

The following table gives examples of origin comparisons with the URL http://store.company.com/dir/page.html:

URLOutcomeReason
http://store.company.com/dir2/other.htmlSame originOnly the path differs
http://store.company.com/dir/inner/another.htmlSame originOnly the path differs
https://store.company.com/page.htmlFailureDifferent protocol
http://store.company.com:81/dir/page.htmlFailureDifferent port (http:// is port 80 by default)
http://news.company.com/dir/page.htmlFailureDifferent host

Inherited origins

Scripts executed from pages with an about:blank or javascript: URL inherit the origin of the document containing that URL, since these types of URLs do not contain information about an origin server.

For example, about:blank is often used as a URL of new, empty popup windows into which the parent script writes content (e.g. via the Window.open() mechanism). If this popup also contains JavaScript, that script would inherit the same origin as the script that created it.

Exceptions in Internet Explorer

Internet Explorer has two major exceptions to the same-origin policy:

Trust Zones
If both domains are in the highly trusted zone (e.g. corporate intranet domains), then the same-origin limitations are not applied.
Port
IE doesn't include port into same-origin checks. Therefore, https://company.com:81/index.html and https://company.com/index.html are considered the same origin and no restrictions are applied.

These exceptions are nonstandard and unsupported in any other browser.

Changing origin

The approach described here (using the document.domain setter) is deprecated because it undermines the security protections provided by the same origin policy, and complicates the origin model in browsers, leading to interoperability problems and security bugs.

Firefox original website

A page may change its own origin, with some limitations. A script can set the value of document.domain to its current domain or a superdomain of its current domain. If set to a superdomain of the current domain, the shorter superdomain is used for same-origin checks.

For example, assume a script from the document at http://store.company.com/dir/other.html executes the following:

Afterward, the page can pass the same-origin check with http://company.com/dir/page.html (assuming http://company.com/dir/page.html sets its document.domain to 'company.com' to indicate that it wishes to allow that - see document.domain for more). However, company.com could not set document.domain to othercompany.com, since that is not a superdomain of company.com.

The port number is checked separately by the browser. Any call to document.domain, including document.domain = document.domain, causes the port number to be overwritten with null. Therefore, one cannot make company.com:8080 talk to company.com by only setting document.domain = 'company.com' in the first. It has to be set in both so their port numbers are both null.

The mechanism has some limitations. For example, it will throw a 'SecurityError' DOMException if the document-domainFeature-Policy is enabled or the document is in a sandboxed <iframe>, and changing the origin in this way does not affect the origin checks used by many Web APIs (e.g. localStorage, indexedDB, BroadcastChannel, SharedWorker). A more exhaustive list of failure cases can be found in Document.domain > Failures.

Note: When using document.domain to allow a subdomain to access its parent, you need to set document.domain to the same value in both the parent domain and the subdomain. This is necessary even if doing so is setting the parent domain back to its original value. Failure to do this may result in permission errors.

Cross-origin network access

The same-origin policy controls interactions between two different origins, such as when you use XMLHttpRequest or an <img> element. These interactions are typically placed into three categories:

  • Cross-origin writes are typically allowed. Examples are links, redirects, and form submissions. Some HTTP requests require preflight.
  • Cross-origin embedding is typically allowed. (Examples are listed below.)
  • Cross-origin reads are typically disallowed, but read access is often leaked by embedding. For example, you can read the dimensions of an embedded image, the actions of an embedded script, or the availability of an embedded resource.

Here are some examples of resources which may be embedded cross-origin:

  • JavaScript with <script src='…'></script>. Error details for syntax errors are only available for same-origin scripts.
  • CSS applied with <link href='…'>. Due to the relaxed syntax rules of CSS, cross-origin CSS requires a correct Content-Type header. Restrictions vary by browser: Internet Explorer, Firefox, Chrome , Safari (scroll down to CVE-2010-0051) and Opera.
  • Images displayed by <img>.
  • Media played by <video> and <audio>.
  • External resources embedded with <object> and <embed>.
  • Fonts applied with @font-face. Some browsers allow cross-origin fonts, others require same-origin.
  • Anything embedded by <iframe>. Sites can use the X-Frame-Options header to prevent cross-origin framing.

How to allow cross-origin access

Use CORS to allow cross-origin access. CORS is a part of HTTP that lets servers specify any other hosts from which a browser should permit loading of content.

How to block cross-origin access

  • To prevent cross-origin writes, check an unguessable token in the request — known as a Cross-Site Request Forgery (CSRF) token. You must prevent cross-origin reads of pages that require this token.
  • To prevent cross-origin reads of a resource, ensure that it is not embeddable. It is often necessary to prevent embedding because embedding a resource always leaks some information about it.
  • To prevent cross-origin embeds, ensure that your resource cannot be interpreted as one of the embeddable formats listed above. Browsers may not respect the Content-Type header. For example, if you point a <script> tag at an HTML document, the browser will try to parse the HTML as JavaScript. When your resource is not an entry point to your site, you can also use a CSRF token to prevent embedding.

Cross-origin script API access

JavaScript APIs like iframe.contentWindow, window.parent, window.open, and window.opener allow documents to directly reference each other. When two documents do not have the same origin, these references provide very limited access to Window and Location objects, as described in the next two sections.

To communicate between documents from different origins, use window.postMessage.

Specification: HTML Living Standard § Cross-origin objects.

Window

The following cross-origin access to these Window properties is allowed:

Methods
window.blur
window.close
window.focus
window.postMessage
Attributes
window.closedRead only.
window.framesRead only.
window.lengthRead only.
window.locationRead/Write.
window.openerRead only.
window.parentRead only.
window.selfRead only.
window.topRead only.
window.windowRead only.

Some browsers allow access to more properties than the above.

Location

The following cross-origin access to Location properties is allowed:

Methods
location.replace
Attributes
URLUtils.hrefWrite-only.

Some browsers allow access to more properties than the above.

Cross-origin data storage access

Access to data stored in the browser such as Web Storage and IndexedDB are separated by origin. Each origin gets its own separate storage, and JavaScript in one origin cannot read from or write to the storage belonging to another origin.

Cookies use a separate definition of origins. A page can set a cookie for its own domain or any parent domain, as long as the parent domain is not a public suffix. Firefox and Chrome use the Public Suffix List to determine if a domain is a public suffix. Internet Explorer uses its own internal method to determine if a domain is a public suffix. The browser will make a cookie available to the given domain including any sub-domains, no matter which protocol (HTTP/HTTPS) or port is used. When you set a cookie, you can limit its availability using the Domain, Path, Secure, and HttpOnly flags. When you read a cookie, you cannot see from where it was set. Even if you use only secure https connections, any cookie you see may have been set using an insecure connection.

See also

Original Document Information

Block Ads, Pop Ups, and Trackers. Browse faster.

Your Safari experience has never been this fast and efficient.
Firefox origin ublock
no ads

Firefox Original Home Page

no sneaky tracking
no overhead
fast
memory-efficient
Origin
lightweight
Add uBlock
How to Block Ads
Introduction to Adware
The Threat of a Cyber Attack

Firefox Original Logo

If you’re looking for the best ad blocker for Safari, look no further. uBlock is the ideal tool for blocking unwanted ads and speeding up your browsing experience on your Mac computer. Following the release of MacOS 10.14 and Safari 12, many in-browser ad blockers stopped working. Luckily, the uBlock MacOS app has you covered, making uBlock the best ad blocker for Safari 12. uBlock will block annoying ads, obnoxious video ads, and intrusive trackers. It will also block most pop-up ads and help protect against some forms of malware. If you’re looking to remove ads from your Internet experience and help improve your overall online security, then uBlock is the tool for you.Read More

Firefox Original Homepage

One of the original ad blockers for Mac and one of the most popular tools for blocking ads, uBlock can be found for Chrome, Firefox, Safari and for your Mac computer. We stay up-to-date with the latest online advertising ad formats and techniques to ensure that we continue to block ads and stay a step ahead of sites that use trackers and adware to follow your around online.

uBlock is easy to use and easy to install. So even if you’re not very tech-savvy you can get it set up in no time. Just follow our easy-to-understand uBlock Guide and start browsing in minutes. The best uBlock feature is the fact that it’s completely free. Just install, configure, and go. A faster internet awaits; download the best ad blocker for Safari and browse away!