The current version of the spec mentions "same origin-domain" in the context of security measures and focus requirements.

We're one of the few specs that use "same origin-domain" instead of a plain "secure origin" check/requirement, and digging through old commits and pull requests it is not clear why this choice was made.