Origin Configuration
What are origins and allowed URLs?
For security reasons, stafftastic services such as praktikum.io Posting Embeds and praktikum.io Spaces only allow embeds from specific URLs, also known as origins. This helps prevent unauthorized use of your embeds on websites outside of your control. An origin is defined by the combination of the scheme (http or https), the domain (e.g., example.com) and the port (e.g., 80 or 443).
Referrer-Policy in Chromium-based browsers changing to
strict-origin-when-cross-origin we have chosen not to support path-based restrictions, as allowing
this would make enforcement ambiguous when the browser only passes the scheme, host and port in the
Referer header.How are origins matched?
When you configure an origin in the praktikum.io App, we will match the origin of the request against the allowed URLs you have configured. The matching is done as follows:
- The scheme (http or https) must match.
- The domain must match exactly.
- The port must match exactly (if specified).
If a request's origin matches one of your allowed URLs, the request will be allowed. Otherwise, it will be blocked.
You may not use wildcards or partial matches in your allowed URLs. For example,
https://*.example.com or https://example.* are not valid allowed URLs.Examples
| Allowed URL | Request Origin | Allowed? | Reason |
|---|---|---|---|
https://www.example.com | https://www.example.com | Yes | Exact match |
http://www.example.com | https://www.example.com | No | Scheme mismatch |
https://example.com | https://www.example.com | No | Domain mismatch |
https://www.example.com:443 | https://www.example.com | No | Port mismatch (explicit port 443 is not the same as an unspecified port) |