Site and origin are not the same yet are often conflated. Some requests are cross-origin but same-site. Samesite attribute of cookies is only concerned with how browsers handle cookies in cross site requests , (not cross origin request) . Same origin policy is a browser-enforced policy that prevents content from being loaded in another origin. Typically browsers block cross origin ajax requests.
How is origin matched?
For the purposes of origin matching, only domain (including subdomain), scheme, and port are considered.
Let us say a user types http://example.com/page1 on the browser address bar. The following requests would be considered examples of cross origin requests
- If the user clicks on a link or makes a script request to http://sudomain.example.com (domain does not match, subdomain is considered a different domain)
- If the user clicks on a link or makes a script request to http://anothersite.com (domain does not match)
- If the user clicks on a link or makes a script request to http://example.com:8080 (port is not matching)
- If the user clicks on a link or makes a script request to https://example.com (scheme is not matching)
The following request would be examples of same origin requests
- If the user clicks on a link like http://example.com/page2.
Browsers typically do not allow cross origin requests.
How is site determined
The site of an origin simply corresponds to the registrered domain of the origin’s host. Registered domain is public suffix + label to its left . This can concept is also called effective top level domain + 1 (eTLD + 1 ). Hence
- for "https://www.example.com", the public suffix is "com", and the registered domain/site is "example.com".
- for "https://subdomain1.example.com", the public suffix is "com", and the registered domain/site is "example.com".
- for "https://subdomain2.example.com", the public suffix is "com", and the registered domain/site is "example.com".
- The site of https://subdomain1.github.io is subdomain1.github.io, because github.io is the host’s most specific public suffix , therefore, subdomain1.github.io is the host’s eTLD+1.
- Similarly, site of https://subdomain2.github.io is subdomain2.github.io, because github.io is the host’s most specific public suffix and, therefore, subdomain2.github.io is the host’s eTLD+1.
- The thing to be noted is that github.io is a public suffix . the list of public suffix can be found here. https://publicsuffix.org/list/.
based on the samesite attribute of a cookie, the browser will determine if the cookie has to be sent or not.
What is cross origin yet same site
A request from https://subdomain1.example.com to https://subdomain2.example.com is same site but a cross origin request.