no-document-domain
Disallow writes to document.domain that weaken same-origin boundaries.
Targeted pattern scopeโ
This rule targets assignments that modify document.domain.
What this rule reportsโ
This rule reports any direct write to document.domain.
Why this rule existsโ
Changing document.domain can relax origin checks and create cross-origin trust
relationships that were not intended.
โ Incorrectโ
document.domain = "example.com";
โ Correctโ
// Keep default browser origin boundaries.
ESLint flat config exampleโ
import sdl from "eslint-plugin-sdl-2";
export default [
{
plugins: { sdl },
rules: {
"sdl/no-document-domain": "error",
},
},
];
When not to use itโ
Disable only for vetted legacy integrations that cannot be migrated away from
document.domain.
Package documentationโ
Further readingโ
Rule catalog ID: R007