Domain, Host, Origin - A quick comparison

Navigating through CORS and other web development tasks is tough when you don't have this terminology locked down, so I've summarized what's what.

This URL will be used as our reference


com = top-level domain or TLD
apple = domain
developer = sub-domain (not always present) = fully qualified domain name or FQDN. Sometimes just "domain" is used when referring to the fully qualified domain.

Host = host, but would include port if there was one = hostname, which doesn't include port and in some documentation it appears to only refer to the sub-domain 🤷‍♂️

URL scheme

https = scheme

A scheme is an identifier or designator of a protocol, not the protocol itself. For example, https is the identifier used to tell the browser to follow the Hypertext Transfer Protocol Secure protocol for our reference URL. Other identifiers are used to tell the browser to follow other protocols, like mailto and ftp.

Origin = origin, everything but the path.

An origin includes the scheme, hostname (if present), host, and port (if present). Like this:


"Same-origin" means the client, e.g. your website, has the same origin as the server it's calling, for example:

// Browser JavaScript running on making this call is same-origin

"Cross-origin" means the client origin is different than the server it's calling. Assuming the same JavaScript from above we get:

// Cross-origin because the scheme is different

// Cross-origin because the domains differ (sub-domains don't get a free pass)

// Cross-origin because the port is different


/documentation/accelerate = path

Browsers don't enforce any communication rules as far as the path is concerned (they do set an extremely long max length though). The path references what is considered the "resource" and the server, not the browser, determines if the request is authorized to access that resource.

Parameters aka Query String

?language=objc = query parameter string

Like the path portion of a URL, there are no communication rules being enforced.

Well, I hope that helps someone. If you need to get more details on CORS, here's simple checklist.