The document-domain policy controls whether the current document is allowed to set document.domain. When this policy is denied to the current document's origin, attempting to set document.domain will fail and cause a SecurityError DOMException to be be thrown. Changing the value of document.domain used to be a common practice to allow cross-origin communication, before better mechanisms such as postMessage existed, and today there are virtually no good reasons to change it.

How to apply this policy

Send the following HTTP header to control the document-domain policy, and disallow it on all origins:

Feature-Policy: document-domain 'none'

Does it work?

Currently Firefox, and Chromium based browsers, such as Google Chrome, Samsung Internet, and Opera, are the only user-agents to support Feature Policy. The minimum version that correctly recognises the document-domain policy is:

Mozilla Firefox


Google Chrome


Microsoft Edge

Not supported

Apple Safari

Not supported