The `document.domain` setter allows developers to relax the same-origin policy, complicating the fundamental security boundary we aim to maintain, and putting roadblocks in the way of post-Spectre changes to Chromium's process model. We should deprecate it, by making it opt-in via `Origin-keyed agent clustersy` (https://chromestatus.com/features/5683766104162304) The setter will remain, but the origin remains unchanged. In that case the compatibility risk is low.
Chromium's threat model (https://chromium.googlesource.com/chromium/src/+/master/docs/security/side-channel-threat-model.md) requires us to consider a process as the only defensible security boundary. To that end, aligning origins with processes is paramount. The `document.domain` setter makes this a difficult task, as we don't know whether the same-origin policy will be relaxed until runtime, when it's too late to change the process into which a document has committed. We have some opt-out mechanisms; ideally this would switch to an opt-in.
Status in Chromium
In developer trial (Behind a flag)
Consensus & Standardization
Last updated on 2022-01-19