Whether candidate shares base's security origin: same scheme, host, and
effective port (per-scheme default applied). The legacy POST endpoint a server
supplies on the SSE stream is only trusted when it is same-origin, so the
client never POSTs its bearer token to a server-named cross-origin URI. A
scheme mismatch (e.g. an https base vs. an http candidate) is rejected too, so
a downgrade cannot leak the credential in plaintext.
Whether candidate shares base's security origin: same scheme, host, and effective port (per-scheme default applied). The legacy POST endpoint a server supplies on the SSE stream is only trusted when it is same-origin, so the client never POSTs its bearer token to a server-named cross-origin URI. A scheme mismatch (e.g. an https base vs. an http candidate) is rejected too, so a downgrade cannot leak the credential in plaintext.