Subdomain vs same-origin endpoints¶
Between first- and third-party URL, a browser differentiates various degrees of "first-party-ness". Generally, the more first-party a URL is, the more trust the browser will place in the communication with that URL. To judge the "first-party-ness" of a URL, the browser will always compare it against the "main document". That means, the URL that the user has either clicked on or manually typed in the URL bar.
Technically, first-party is any URL that contains the URL of the main document. That means www.usercentrics.com is a first-party URL to usercentrics.com. Same-origin, however, is more specific than that. It requires the same protocol (https), subdomains (if any), and domain (usercentrics.com) as those that the user is on. So, same-origin domains are a subset of all first-party domains. For instance, https://usercentrics.com/same-origin is same-origin to https://usercentrics.com, but https://www.usercentrics.com/ is not.
Sounds confusing? Let's have a look at the schema below to understand the components of a URL and how they come together to form same-origin and first-party URLs.
To better understand the difference between first-party and same-origin, let's look at a few example URLs relative to a main website hosted at: https://usercentrics.com/.
| Example URL | First party? | Same origin? |
|---|---|---|
| https://www.google.com/gtm.js | ❌ No | ❌ No |
| https://sgtm.usercentrics.com/gtm.js | ✅ Yes | ❌ No |
| https://usercentrics.com/collect/gtm.js | ✅ Yes | ✅ Yes |
| http://usercentrics.com/collect/gtm.js | ✅ Yes | ❌ No |