diff --git a/lib/jquery.expensifyIframify.js b/lib/jquery.expensifyIframify.js
index c8978960..e55ddcdb 100644
--- a/lib/jquery.expensifyIframify.js
+++ b/lib/jquery.expensifyIframify.js
@@ -164,14 +164,26 @@ export default {
             // Sending message from the iFrame to the parent
             // Only post a message if this is in an iFrame
             if (!postToIframe && window.parent !== window) {
-                targetOrigin = `${window.parent.location.protocol}//${window.parent.location.hostname}`;
+                try {
+                    targetOrigin = `${window.parent.location.protocol}//${window.parent.location.hostname}`;
+                } catch (e) {
+                    // window.parent.location throws SecurityError under strict-origin-isolation.
+                    // Using '*' is safe because handleWindowMessage validates event.origin independently.
+                    targetOrigin = '*';
+                }
                 log('posting message to parent', targetOrigin, msg);
                 window.parent.postMessage(msg, targetOrigin);
             }
 
             // Sending message from the parent to the iFrame
             if (postToIframe && iframeElement[0].contentWindow) {
-                targetOrigin = `${iframeElement[0].contentWindow.location.protocol}//${iframeElement[0].contentWindow.location.hostname}`;
+                try {
+                    targetOrigin = `${iframeElement[0].contentWindow.location.protocol}//${iframeElement[0].contentWindow.location.hostname}`;
+                } catch (e) {
+                    // contentWindow.location throws SecurityError under strict-origin-isolation.
+                    // Using '*' is safe because handleWindowMessage validates event.origin independently.
+                    targetOrigin = '*';
+                }
                 log('posting message to iframe', targetOrigin, msg);
                 iframeElement[0].contentWindow.postMessage(msg, targetOrigin);
             }
@@ -387,8 +399,14 @@ export default {
             const subdomain = domainArray.shift();
             const domainWithoutSubdomain = domainArray.join('.');
 
-            // There are some browsers that don't support document.domain so we have to manually create it
-            document.domain = domainWithoutSubdomain;
+            // Attempt to set document.domain for same-site iframe communication.
+            // This is blocked when Chrome's strict-origin-isolation flag is enabled
+            // or when the deprecated document.domain setter is fully removed.
+            try {
+                document.domain = domainWithoutSubdomain;
+            } catch (e) {
+                // Silently ignore - cross-origin communication will rely on postMessage
+            }
             iframeElement = this; // eslint-disable-line consistent-this
 
             if (!wasInitalized) {