Same-Origin Policy Checker & Explainer

Enter two URLs and instantly see whether they share an origin, with a full explanation

Compare two URLs and determine whether they share the same origin — protocol, hostname, and port must all match. The tool shows exactly which component differs, explains the browser security restrictions that follow, and points you to CORS, CORP, and postMessage as the right alternatives. Runs entirely in your browser. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

What exactly defines an origin?

An origin is the tuple of scheme, host, and port. Two URLs are same-origin only if all three match exactly. https://example.com and http://example.com differ by scheme; example.com and www.example.com differ by host; port 80 and 8080 differ by port.

The same-origin policy (SOP) is the foundation of browser security: it stops a page on one origin from reading data from another. This tool compares two URLs, tells you precisely whether they are same-origin, and explains the consequences.

How it works

An origin is the combination of three things:

  1. Scheme (protocol) — http vs https
  2. Host (hostname) — example.com vs www.example.com vs api.example.com
  3. Port — explicit, or the scheme default (80 for http, 443 for https)

Two URLs are same-origin only if all three match exactly. Everything after the host and port — the path, query string, and #fragment — is irrelevant to the origin.

The tool parses each URL with the browser’s own URL parser, normalises the port (filling in 80/443 when omitted), and compares the three components individually. It then reports which component, if any, caused a cross-origin result.

What a cross-origin result means

When two contexts are cross-origin, the browser blocks the calling page from reading the other’s data. Concretely:

  • fetch()/XMLHttpRequest can send the request, but JavaScript cannot read the response body unless the server returns matching CORS headers.
  • A script cannot read the DOM, cookies (with the right flags), or localStorage of a cross-origin iframe.
  • Canvas pixels drawn from a cross-origin image become “tainted” and unreadable.

Note the asymmetry: SOP primarily restricts reading, not sending. A cross-origin form submission still reaches the server, which is exactly why CSRF defences are still required.

Choosing the right cross-origin mechanism

NeedUse
Read a cross-origin API response in JSCORS (Access-Control-Allow-Origin)
Send messages between two windows/iframespostMessage with a strict targetOrigin
Control who may embed your resourcesCORP / COEP / X-Frame-Options
Legacy subdomain relaxationdocument.domain — deprecated, avoid

Use the narrowest mechanism that solves the problem, and never widen CORS to * for credentialed or sensitive endpoints. This checker runs entirely in your browser — the URLs you enter are never sent anywhere.