Skip to main content

no-document-domain

Disallow writes to document.domain that weaken same-origin boundaries.

Targeted pattern scopeโ€‹

This rule targets assignments that modify document.domain.

What this rule reportsโ€‹

This rule reports any direct write to document.domain.

Why this rule existsโ€‹

Changing document.domain can relax origin checks and create cross-origin trust relationships that were not intended.

โŒ Incorrectโ€‹

document.domain = "example.com";

โœ… Correctโ€‹

// Keep default browser origin boundaries.

ESLint flat config exampleโ€‹

import sdl from "eslint-plugin-sdl-2";

export default [
{
plugins: { sdl },
rules: {
"sdl/no-document-domain": "error",
},
},
];

When not to use itโ€‹

Disable only for vetted legacy integrations that cannot be migrated away from document.domain.

Package documentationโ€‹

Further readingโ€‹

Rule catalog ID: R007