§
document.domain
document.domain's ability to relax the same-origin policy, allowing two same-site
pages to synchronously script each other, is a footgun. It complicates the implementation of
the single defensible security boundary the web can reasonably uphold, and confounds our
ability to cleanly map that boundary onto an underlying process. Ideally, we'll be able to
remove this behavior from
the platform, as part of a broader shift towards origin-level isolation by default.
The data below is gathered from
Chrome's usage statistics,
and represents the percentage of Chrome page loads that are affected by
document.domain either allowing or blocking a cross-origin access that would
have behaved otherwise in its absence.