document-domain
The document-domain policy controls whether the current document is allowed
to set document.domain. When this policy is denied to the current
document's origin, attempting to set document.domain will fail and cause a
SecurityError DOMException to be be thrown. Changing the value
of document.domain used to be a common practice to allow cross-origin
communication, before better mechanisms such as postMessage
existed, and today there are virtually no good reasons to change it.
How to apply this policy
Send the following HTTP header to control the document-domain policy, and
disallow it on all origins:
Feature-Policy: document-domain 'none'Does it work?
Currently Firefox, and Chromium based browsers, such as Google Chrome, Samsung Internet,
and Opera, are the only user-agents to support Feature Policy. The minimum version that
correctly recognises the document-domain policy is:
65+
72+
Not supported
Not supported