docs/security/document-domain.md - chromium/src.git - Git at Google

 # `document.domain` Setting is Deprecated

 Setting [`document.domain`](https://developer.mozilla.org/en-US/docs/Web/API/Document/domain)
 is [deprecated](https://html.spec.whatwg.org/multipage/origin.html#relaxing-the-same-origin-restriction).
 `document.domain` setting can be used to relax the same-origin restrictions
 between different frames, hosted within the same site but on different origins.
 Doing so make themselves effectively same-origin for the purpose of
 synchronous access.

 For example, `https.//www.example.test/` might host a media player on
 `media.example.org`. If both the main page and the frame execute
 `document.domain = "example.org";` they may then access each others' DOM
 tree, which they normally couldn't. (A better way would be to cooperate
 by `postMessage()`.)

 This usage is now being deprecated. (More information can be found
 [here](https://developer.chrome.com/blog/immutable-document-domain/) and
 [there](https://github.com/mikewest/deprecating-document-domain)).

 ## What is happening, and when?

 * M100: Chrome will show deprecation warnings when document.domain is set.
 * M106: Chrome will disable document.domain by default.

 Note that the second milestone is tentative: When the time comes, we will
 examine how many pages will be impacted by this change, and will start a
 separate discussion (intent to remove) on the
 [blink-dev mailing list](https://groups.google.com/a/chromium.org/g/blink-dev).

 ##  `document.domain` and Origin-keyed Agent Clusters

 Most documentation on this change is phrased in terms of origin-keyed
 agent clusters. This is [a concept in the HTML
 specification](https://html.spec.whatwg.org/multipage/origin.html#origin-keyed-agent-clusters).
 Here we focus on the behaviour of the `document.domain` setter, which is
 the visible effect.

 A web browser can cluster sites (in order to assign them to operating
 system processes) and sites can be clustered by origin, or by site.
 Origin-keyed agent clustering is preferable for security reasons. However
 when sites are clustered by origin, synchronous access to frames outside of
 that origin (but within the same site) is no longer possible. Thus sites in
 origin-keyed agent clusters disable the `document.domain` setter. This is the
 mechanism underlying this change: From M106 on pages will be assigned to
 origin-keyed agent clusters by default and therefore `document.domain`
 will no longer be settable by default, either.

 This also gives us an opt-out mechanism for pages who do not wish to follow
 this change: By setting the `Origin-Agent-Cluster: ?0` http header, a site
 can request assignment to a site-keyed agent cluster, and `document.domain`
 will continue to work for them as it currently does. Note that adding this
 header has no other observable effect and thus retains the current
 (pre-M106) behaviour. This makes it an easy and _safe_ way to opt-out.

 Setting this header is a no-op in current versions of Chromium since it
 matches the default setting, and will preserve this behaviour in the future.
 It is also a no-op in other browsers, since they either match Chromium's
 current default or have not implemented the `Origin-Agent-Cluster` header at
 all.

 ## Where are the deprecation warnings found?

 The deprecation warnings are found in the [issues tab](https://developer.chrome.com/docs/devtools/issues/).

 ## What does the deprecation warning tell me?

 There are two deprecation warnings: One for setting the `document.domain`
 accessors, which modifies the security behaviour. And from M101 on,
 a second warning when a cross-domain access is made that is facilitated by
 the modified `document.domain` property. The first warning tells you where
 the setup happens, and the second one tells you where it is being used (and
 thus likely why this is being done in the first place).

 ## How Can I Test This?

 In the DevTools console, for a page `www.example.test`:

 ```
 document.domain = "example.test";
 document.domain;  // "example.test" in a site-keyed agent cluster.
                   // "www.example.test" in an origin-keyed agent cluster.
 ```

 One can also directly query whether a page is assigned to an origin-keyed
 agent cluster, by querying `window.originAgentCluster`.

 ```
 window.originAgentCluster;  // true, if page is assigned to an origin-keyed
                             // agent cluster.
 ```

 How to enable/disable the deprecation:

 ### Enable the Deprecation (Scheduled for M106)

 * In [chrome://flags](chrome://flags#origin-agent-cluster-default), go to
   the "Origin Agent Cluster Default" setting and enable it.
 * Or start Chrome with `--enable-features=OriginAgentClusterDefaultEnable`
 * Or add the `Origin-Agent-Cluster: ?1` header to your pages and frames.
   (E.g. in a testing instance of your site.)

 ### Testing at Scale / Reporting API

 The deprecation warnings are delivered through the
 [Reporting API](https://web.dev/reporting-api/). They can
 be pragrammatically processed using `ReportingObserver`. For example, the
 first code snippet in
 https://developers.google.com/web/updates/2018/07/reportingobserver
 will report these warnings. The message object delivered by this API is a
 [`DeprecationReportBody`](https://developer.mozilla.org/en-US/docs/Web/API/DeprecationReportBody)
 instance which offers information about the source code location that triggered
 the warning.

 ## What can I do?

 If your site does not use `document.domain` setting you don't have to do
 anything. You could explicitly set the `Origin-Agent-Cluster: ?1` header.
 But after M106 this would be the default behaviour anyhow.

 If your site uses `document.domain` setting to enable cross-origin Javascript
 access, you should refactor the code to instead use
 [`window.postMessage()`](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage) (or any other mechanism) to cooperate across origins. Or alternatively
 reduce the need for cross-origin cooperation by moving the cooperating pieces
 onto the same origin.

 ## What if I don't have the time right now, or want to continue setting `document.domain`?

 You can add the `Origin-Agent-Cluster: ?0` HTTP header to your site. Note that
 the header must be set both for the main page, as well as for the embedded
 frame(s) that wish to use `document.domain` setting.

 ## Enterprise Users

 Users of [Chrome for Enterprise](https://chromeenterprise.google/) can set
 the `OriginAgentClusterDefaultEnabled` policy to `False` to retain the
 current (pre-M106) default for all of their users, until all their internal
 sites and customers have migrated off of `document.domain` usage.
	# `document.domain` Setting is Deprecated

	Setting [`document.domain`](https://developer.mozilla.org/en-US/docs/Web/API/Document/domain)
	is [deprecated](https://html.spec.whatwg.org/multipage/origin.html#relaxing-the-same-origin-restriction).
	`document.domain` setting can be used to relax the same-origin restrictions
	between different frames, hosted within the same site but on different origins.
	Doing so make themselves effectively same-origin for the purpose of
	synchronous access.

	For example, `https.//www.example.test/` might host a media player on
	`media.example.org`. If both the main page and the frame execute
	`document.domain = "example.org";` they may then access each others' DOM
	tree, which they normally couldn't. (A better way would be to cooperate
	by `postMessage()`.)

	This usage is now being deprecated. (More information can be found
	[here](https://developer.chrome.com/blog/immutable-document-domain/) and
	[there](https://github.com/mikewest/deprecating-document-domain)).

	## What is happening, and when?

	* M100: Chrome will show deprecation warnings when document.domain is set.
	* M106: Chrome will disable document.domain by default.

	Note that the second milestone is tentative: When the time comes, we will
	examine how many pages will be impacted by this change, and will start a
	separate discussion (intent to remove) on the
	[blink-dev mailing list](https://groups.google.com/a/chromium.org/g/blink-dev).

	## `document.domain` and Origin-keyed Agent Clusters

	Most documentation on this change is phrased in terms of origin-keyed
	agent clusters. This is [a concept in the HTML
	specification](https://html.spec.whatwg.org/multipage/origin.html#origin-keyed-agent-clusters).
	Here we focus on the behaviour of the `document.domain` setter, which is
	the visible effect.

	A web browser can cluster sites (in order to assign them to operating
	system processes) and sites can be clustered by origin, or by site.
	Origin-keyed agent clustering is preferable for security reasons. However
	when sites are clustered by origin, synchronous access to frames outside of
	that origin (but within the same site) is no longer possible. Thus sites in
	origin-keyed agent clusters disable the `document.domain` setter. This is the
	mechanism underlying this change: From M106 on pages will be assigned to
	origin-keyed agent clusters by default and therefore `document.domain`
	will no longer be settable by default, either.

	This also gives us an opt-out mechanism for pages who do not wish to follow
	this change: By setting the `Origin-Agent-Cluster: ?0` http header, a site
	can request assignment to a site-keyed agent cluster, and `document.domain`
	will continue to work for them as it currently does. Note that adding this
	header has no other observable effect and thus retains the current
	(pre-M106) behaviour. This makes it an easy and _safe_ way to opt-out.

	Setting this header is a no-op in current versions of Chromium since it
	matches the default setting, and will preserve this behaviour in the future.
	It is also a no-op in other browsers, since they either match Chromium's
	current default or have not implemented the `Origin-Agent-Cluster` header at
	all.

	## Where are the deprecation warnings found?

	The deprecation warnings are found in the [issues tab](https://developer.chrome.com/docs/devtools/issues/).

	## What does the deprecation warning tell me?

	There are two deprecation warnings: One for setting the `document.domain`
	accessors, which modifies the security behaviour. And from M101 on,
	a second warning when a cross-domain access is made that is facilitated by
	the modified `document.domain` property. The first warning tells you where
	the setup happens, and the second one tells you where it is being used (and
	thus likely why this is being done in the first place).

	## How Can I Test This?

	In the DevTools console, for a page `www.example.test`:

	```
	document.domain = "example.test";
	document.domain; // "example.test" in a site-keyed agent cluster.
	// "www.example.test" in an origin-keyed agent cluster.
	```

	One can also directly query whether a page is assigned to an origin-keyed
	agent cluster, by querying `window.originAgentCluster`.

	```
	window.originAgentCluster; // true, if page is assigned to an origin-keyed
	// agent cluster.
	```

	How to enable/disable the deprecation:

	### Enable the Deprecation (Scheduled for M106)

	* In [chrome://flags](chrome://flags#origin-agent-cluster-default), go to
	the "Origin Agent Cluster Default" setting and enable it.
	* Or start Chrome with `--enable-features=OriginAgentClusterDefaultEnable`
	* Or add the `Origin-Agent-Cluster: ?1` header to your pages and frames.
	(E.g. in a testing instance of your site.)

	### Testing at Scale / Reporting API

	The deprecation warnings are delivered through the
	[Reporting API](https://web.dev/reporting-api/). They can
	be pragrammatically processed using `ReportingObserver`. For example, the
	first code snippet in
	https://developers.google.com/web/updates/2018/07/reportingobserver
	will report these warnings. The message object delivered by this API is a
	[`DeprecationReportBody`](https://developer.mozilla.org/en-US/docs/Web/API/DeprecationReportBody)
	instance which offers information about the source code location that triggered
	the warning.

	## What can I do?

	If your site does not use `document.domain` setting you don't have to do
	anything. You could explicitly set the `Origin-Agent-Cluster: ?1` header.
	But after M106 this would be the default behaviour anyhow.

	If your site uses `document.domain` setting to enable cross-origin Javascript
	access, you should refactor the code to instead use
	[`window.postMessage()`](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage) (or any other mechanism) to cooperate across origins. Or alternatively
	reduce the need for cross-origin cooperation by moving the cooperating pieces
	onto the same origin.

	## What if I don't have the time right now, or want to continue setting `document.domain`?

	You can add the `Origin-Agent-Cluster: ?0` HTTP header to your site. Note that
	the header must be set both for the main page, as well as for the embedded
	frame(s) that wish to use `document.domain` setting.

	## Enterprise Users

	Users of [Chrome for Enterprise](https://chromeenterprise.google/) can set
	the `OriginAgentClusterDefaultEnabled` policy to `False` to retain the
	current (pre-M106) default for all of their users, until all their internal
	sites and customers have migrated off of `document.domain` usage.