Subdomain vs same origin
Subdomain vs Same-Origin Endpoints¶
Between first-party and third-party URLs, the browser distinguishes between different degrees of "first-party-ness" ("first-party-ness"). In general, the greater the first-party-ness of a given URL, the more trust the browser will place in communication with that URL.
To assess the degree of "first-party-ness" of a given URL, the browser always compares it against the "main document". This means the URL that the user clicked on or manually entered in the address bar.
Technically, first-party is any URL that contains the main document's URL. This means that
www.delta.bg is a first-party URL relative to delta.bg.
Same-origin, however, is more specific than that. It requires the same protocol (https), *
subdomains (if any), and domain (delta.bg) as the one the user is on. Therefore,
same-origin domains are a subset of all first-party* domains.
For example, https://delta.bg/same-origin is same-origin relative to https://delta.bg, but https://www.delta.bg/ is
not.
Sounds confusing? Let's look at the diagram below to understand the components of a URL and how they combine to form same-origin and first-party URLs.
To better understand the difference between first-party and same-origin, let's examine several example URLs
relative to a main website hosted at: https://delta.bg/.
| Example URL | First-party? | Same origin? |
|---|---|---|
https://www.google.com/gtm.js |
No | No |
https://sgtm.delta.bg/gtm.js |
Yes | No |
https://delta.bg/collect/gtm.js |
Yes | Yes |
http://delta.bg/collect/gtm.js |
Yes | No |