document-domain policy controls whether the current document is allowed
document.domain. When this policy is denied to the current
document's origin, attempting to set
document.domain will fail and cause a
DOMException to be be thrown. Changing the value
document.domain used to be a common practice to allow cross-origin
communication, before better mechanisms such as postMessage
existed, and today there are virtually no good reasons to change it.
How to apply this policy
Send the following HTTP header to control the
document-domain policy, and
disallow it on all origins:
Feature-Policy: document-domain 'none'
Does it work?
Currently Firefox, and Chromium based browsers, such as Google Chrome, Samsung Internet,
and Opera, are the only user-agents to support Feature Policy. The minimum version that
correctly recognises the
document-domain policy is: