documentDomains
Reports uses of
document.domainwhich relaxes same-origin protections.
✅ This rule is included in the browser logical presets.
The document.domain API changes the origin the browser uses for same-origin checks.
Setting it can let pages on related subdomains access each other when the browser would otherwise keep them isolated.
Use location.hostname or location.origin when you only need to read the current page’s host or origin.
Examples
Section titled “Examples”document.domain = "example.com";window.document.domain = "example.com";const currentHost = location.hostname;const currentOrigin = location.origin;Options
Section titled “Options”This rule is not configurable.
When Not To Use It
Section titled “When Not To Use It”If you maintain a legacy app that temporarily depends on cross-subdomain same-origin relaxation while migration is in progress, it may be reasonable to disable this rule for those files. For new code, prefer current host checks or server-side origin configuration instead.
Further Reading
Section titled “Further Reading”Equivalents in Other Linters
Section titled “Equivalents in Other Linters”- ESLint:
sdl/no-document-domain
Made with ❤️🔥 around the world by
the Flint team and contributors.