diff --git a/lib/validate.js b/lib/validate.js
index dd2e55b6fefb0a8c36668f404d93958dcbc9cd99..2788c78b31aaf44954ef3843966614265cadc11e 100644
--- a/lib/validate.js
+++ b/lib/validate.js
@@ -38,9 +38,24 @@ var types = {
     JSON.parse(x);
   },
   origin: function(x) {
-    // allow single hostnames, e.g. localhost
-    if (typeof x !== 'string' || !x.match(/^https?:\/\/[a-z\d_-]+(\.[a-z\d_-]+)*(:\d+)?$/i)) {
-      throw "not a valid origin";
+    /* origin regex
+    /^                          // beginning
+    https?:\/\/                 // starts with http:// or https://
+    (?=.{1,254}(?::|$))         // hostname must be within 1-254 characters
+    (?:                         // match hostname part (<part>.<part>...)
+      (?!\d|-)                  // cannot start with a digit or dash
+      (?![a-z0-9\-]{1,62}-      // part cannot end with a dash
+        (?:\.|:|$))             // (end of part will be '.', ':', or end of str)
+      [a-z0-9\-]{1,63}\b        // part will be 1-63 letters, numbers, or dashes
+        (?!\.$)                 // final part cannot end with a '.'
+        \.?                     // part followed by '.' unless final part
+    )+                          // one or more hostname parts
+    (:\d+)?                     // optional port
+    $/i;                        // end; case-insensitive
+    */
+    var regex = /^https?:\/\/(?=.{1,254}(?::|$))(?:(?!\d|-)(?![a-z0-9\-]{1,62}-(?:\.|:|$))[a-z0-9\-]{1,63}\b(?!\.$)\.?)+(:\d+)?$/i;
+    if (typeof x !== 'string' || !x.match(regex)) {
+      throw new Error("not a valid origin");
     }
   }
 };