diff --git a/assets/img/guides/references/cy-visit-subsequent-commands-timed-out.png b/assets/img/guides/references/cy-visit-subsequent-commands-timed-out.png
new file mode 100644
index 0000000000..122f4c496f
Binary files /dev/null and b/assets/img/guides/references/cy-visit-subsequent-commands-timed-out.png differ
diff --git a/content/_data/sidebar.json b/content/_data/sidebar.json
index a42e602aaa..5972cb3d09 100644
--- a/content/_data/sidebar.json
+++ b/content/_data/sidebar.json
@@ -320,6 +320,14 @@
             {
               "title": "Cross Browser Testing",
               "slug": "cross-browser-testing"
+            },
+            {
+              "title": "Cross Origin Testing",
+              "slug": "cross-origin-testing"
+            },
+            {
+              "title": "Web Security",
+              "slug": "web-security"
             }
           ]
         },
diff --git a/content/api/commands/origin.md b/content/api/commands/origin.md
index 9265053963..741723c151 100644
--- a/content/api/commands/origin.md
+++ b/content/api/commands/origin.md
@@ -22,7 +22,10 @@ patterns commonly found in framebusting. When using the `cy.origin()` command,
 the third party code may also need to be modified for framebusting techniques.
 This can be enabled by setting the
 [`experimentalModifyObstructiveThirdPartyCode`](/guides/references/experiments)
-flag to `true` in the Cypress configuration.
+flag to `true` in the Cypress configuration. More information about this
+experimental flag can be found on our
+[Web Security](/guides/guides/web-security#Modifying-Obstructive-Third-Party-Code)
+page.
 
 </Alert>
 
diff --git a/content/faq/questions/using-cypress-faq.md b/content/faq/questions/using-cypress-faq.md
index d08b9db4eb..bc3126ade5 100644
--- a/content/faq/questions/using-cypress-faq.md
+++ b/content/faq/questions/using-cypress-faq.md
@@ -919,6 +919,8 @@ application under test runs in any way, so you can safely ignore this warning.
 The network traffic between Cypress and the backend server still happens via
 HTTPS.
 
+See also the [Web Security](/guides/guides/web-security) guide.
+
 ## <Icon name="angle-right"></Icon> Is there an option to run Cypress in CI with Developer Tools open? We want to track network and console issues.
 
 No. There is not currently a way to run Cypress in `cypress run` with Developer
diff --git a/content/guides/end-to-end-testing/okta-authentication.md b/content/guides/end-to-end-testing/okta-authentication.md
index 006a71323d..f3d7f679d1 100644
--- a/content/guides/end-to-end-testing/okta-authentication.md
+++ b/content/guides/end-to-end-testing/okta-authentication.md
@@ -12,7 +12,9 @@ e2eSpecific: true
 - Programmatically authenticate with [Okta](https://okta.com) via a custom
   Cypress command
 - Adapting your [Okta](https://okta.com) application for programmatic
-  authentication during testing </Alert>
+  authentication during testing
+
+</Alert>
 
 <Alert type="warning">
 
diff --git a/content/guides/guides/cross-browser-testing.md b/content/guides/guides/cross-browser-testing.md
index f25a0398cc..b0f946b5a1 100644
--- a/content/guides/guides/cross-browser-testing.md
+++ b/content/guides/guides/cross-browser-testing.md
@@ -14,7 +14,7 @@ browser engine), and Firefox.
 <strong class="alert-header">Web Security</strong>
 
 Tests that require the
-[`chromeWebSecurity` configuration option to be disabled](/guides/references/configuration#Browser)
+[`chromeWebSecurity` configuration option to be disabled](/guides/guides/web-security#Disabling-Web-Security)
 may experience issues in non-Chromium based browsers.
 
 </Alert>
diff --git a/content/guides/guides/cross-origin-testing.md b/content/guides/guides/cross-origin-testing.md
new file mode 100644
index 0000000000..40bc5f4bc0
--- /dev/null
+++ b/content/guides/guides/cross-origin-testing.md
@@ -0,0 +1,152 @@
+---
+title: Cross Origin Testing
+---
+
+<Alert type="info">
+
+<strong class="alert-header"> Note </strong>
+
+As of Cypress [v12.0.0](https://on.cypress.io/changelog#12-0-0), Cypress has the
+capability to visit multiple origins in a single test via the
+[cy.origin()](https://on.cypress.io/origin) command!
+
+</Alert>
+
+Cypress limits each test to visiting domains that share the same superdomain. If
+a navigation occurs that does not meet the same superdomain rule, the
+[`cy.origin()`](/api/commands/origin) command must be used to execute Cypress
+commands inside the newly navigated origin.
+
+But what is same superdomain? It is actually very similar to that of same
+origin! Two URLs have the same origin if the protocol, port (if specified), and
+host match. Cypress automatically handles hosts of the same superdomain by
+injecting the
+[`document.domain`](https://developer.mozilla.org/en-US/docs/Web/API/Document/domain)
+property into the visited `text/html` pages. This is why navigations without the
+use of the [`cy.origin()`](/api/commands/origin) command are solely scope to the
+same superdomain.
+
+We understand this is a bit complicated to understand, so we have built a nifty
+chart to help clarify the differences!
+
+### Parts of a URL
+
+```
+┌───────────────────────────────────────────────────────────────────────────────────────┐
+│                                         href                                          │
+├──────────┬──┬─────────────────────────────────────┬───────────────────────────┬───────┤
+│ protocol │  │               host                  │           path            │ hash  │
+│          │  ├──────────────────────────────┬──────┼──────────┬────────────────┤       │
+│          │  │           hostname           │ port │ pathname │     search     │       │
+|          |  ├───────────┬──────────────────┤      │          │                │       │
+│          │  │ subdomain │ superdomain (sd) │      │          │                │       │
+|          |  ├───────────┼─────────┬────────┤      │          ├─┬──────────────┤       │
+│          │  │           │  domain │  TLD   │      │          │ │    query     │       │
+│          │  │           │         │        │      │          │ │              │       │
+"  https:   //     sub    . example .  com   : 8080   /p/a/t/h  ?  query=string   #hash "
+│                                                   │          │                │       │
+│                      origin                       │          |                │       │
+├─────────────┬───────────┬─────────────────────────┤          │                │       │
+│ (sd) origin │           │   (sd) origin           │          │                │       │
+└─────────────┴───────────┴─────────────────────────┴──────────┴────────────────┴───────┘
+```
+
+Given the URLs below, all have the same superdomain compared to
+`https://www.cypress.io`.
+
+- `https://cypress.io`
+- `https://docs.cypress.io`
+- `https://example.cypress.io/commands/querying`
+
+The URLs below, however, will have different superdomains/origins compared to
+`https://www.cypress.io`.
+
+- `http://www.cypress.io` (Different protocol)
+- `https://docs.cypress.io:81` (Different port)
+- `https://www.auth0.com/` (Different host of different superdomain)
+
+The `http://localhost` URLs differ if their ports are different. For example,
+the `http://localhost:3000` URL is considered to be a different origin from the
+`http://localhost:8080` URL.
+
+The rules are:
+
+- <Icon name="exclamation-triangle" color="red"></Icon> You **cannot**
+  [visit](/api/commands/visit) two domains of different superdomains in the same
+  test and continue to interact with the page without the use of the
+  [`cy.origin()`](/api/commands/origin) command.
+- <Icon name="check-circle" color="green"></Icon> You **can**
+  [visit](/api/commands/visit) two or more domains of different origin in
+  **different** tests without needing [`cy.origin()`](/api/commands/origin).
+
+For practical purposes, this means the following:
+
+```javascript
+// This test will run without error
+it('navigates', () => {
+  cy.visit('https://www.cypress.io')
+  cy.visit('https://docs.cypress.io')
+  cy.get('selector') // yup all good
+})
+```
+
+```javascript
+// this will error because stackoverflow.com doesn't match the cypress.io superdomain
+it('navigates', () => {
+  cy.visit('https://www.cypress.io')
+  cy.visit('https://stackoverflow.com')
+  cy.get('selector')
+})
+```
+
+To fix the above cross-origin error, use `cy.origin()` to indicate which origin
+the sequential command should run against:
+
+```javascript
+it('navigates', () => {
+  cy.visit('https://www.cypress.io')
+  cy.visit('https://stackoverflow.com')
+  cy.origin('https://stackoverflow.com', () => {
+    cy.get('selector') // yup all good
+  })
+})
+```
+
+```javascript
+it('navigates', () => {
+  cy.visit('https://www.cypress.io')
+})
+
+// split visiting different origin in another test
+it('navigates to new origin', () => {
+  cy.visit('https://stackoverflow.com')
+  cy.get('selector') // yup all good
+})
+```
+
+This limitation exists because Cypress switches to the domain under each
+specific test when it runs. For more information on this, please see our Web
+Security page regarding
+[Different superdomain per test requires cy.origin command](/guides/guides/web-security#Different-superdomain-per-test-requires-cy-origin-command).
+
+#### Other workarounds
+
+There are other ways of testing the interaction between two superdomains. The
+browser has a natural security barrier called `origin policy` this means that
+state like `localStorage`, `cookies`, `service workers` and many other APIs are
+not shared between them anyways. Cypress does offer APIs around `localStorage`,
+`sessionStorage`, and `cookies` that are not limited to this restriction.
+
+As a best practice, you should not visit or interact with a 3rd party service
+not under your control. However, there are exceptions! If your organization uses
+Single Sign On (SSO) or OAuth then you might involve a 3rd party service other
+than your superdomain, which can be safely tested with
+[`cy.origin()`](/api/commands/origin).
+
+We've written several other guides specifically about handling this situation.
+
+- [Best Practices: Visiting external sites](/guides/references/best-practices#Visiting-external-sites)
+- [Web Security: Common Workarounds](/guides/guides/web-security#Common-Workarounds)
+- [Recipes: Logging In - Single Sign On](/examples/examples/recipes#Logging-In)
+- [Guides: Amazon Cognito Authentication](/guides/end-to-end-testing/amazon-cognito-authentication)
+- [Guides: Okta Authentication](/guides/end-to-end-testing/okta-authentication)
diff --git a/content/guides/guides/web-security.md b/content/guides/guides/web-security.md
new file mode 100644
index 0000000000..1e5a203ec1
--- /dev/null
+++ b/content/guides/guides/web-security.md
@@ -0,0 +1,485 @@
+---
+title: Web Security
+e2eSpecific: true
+---
+
+Browsers adhere to a strict
+[same-origin policy](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy).
+This means that browsers restrict access between `<iframes>` when their origin
+policies do not match.
+
+Because Cypress works from within the browser, Cypress must be able to directly
+communicate with your remote application at all times. Unfortunately, browsers
+naturally try to prevent Cypress from doing this.
+
+To get around these restrictions, Cypress implements some strategies involving
+JavaScript code, the browser's internal APIs, and network proxying to _play by
+the rules_ of same-origin policy. It is our goal to fully automate the
+application under test without you needing to modify your application's code -
+and we are _mostly_ able to do this.
+
+#### Examples of what Cypress does under the hood:
+
+- Injects
+  [`document.domain`](https://developer.mozilla.org/en-US/docs/Web/API/Document/domain)
+  into `text/html` pages.
+- Proxies all HTTP / HTTPS traffic.
+- Changes the hosted URL to match that of the application under test.
+- Uses the browser's internal APIs for network level traffic.
+
+When Cypress first loads, the internal Cypress web application is hosted on a
+random port: something like `http://localhost:65874/__/`.
+
+After the first [`cy.visit()`](/api/commands/visit) command is issued in a test,
+Cypress changes its URL to match the origin of your remote application, thereby
+solving the first major hurdle of same-origin policy. Your application's code
+executes the same as it does outside of Cypress, and everything works as
+expected.
+
+<Alert type="info">
+
+<strong class="alert-header">How is HTTPS supported?</strong>
+
+Cypress does some pretty interesting things under the hood to make testing HTTPS
+sites work. Cypress enables you to control and stub at the network level.
+Therefore, Cypress must assign and manage browser certificates to be able to
+modify the traffic in real time.
+
+You'll notice Chrome display a warning that the 'SSL certificate does not
+match'. This is normal and correct. Under the hood we act as our own CA
+authority and issue certificates dynamically in order to intercept requests
+otherwise impossible to access. We only do this for the superdomain currently
+under test, and bypass other traffic. That's why if you open a tab in Cypress to
+another host, the certificates match as expected.
+
+Note, that Cypress allows you to optionally specify CA / client certificate
+information for use with HTTPS sites. See
+[Configuring client certificates](/guides/references/client-certificates). If
+the remote server requests a client certificate for a configured URL, Cypress
+will supply it.
+
+</Alert>
+
+## Limitations
+
+It's important to note that although we do our **very best** to ensure your
+application works normally inside of Cypress, there _are_ some limitations you
+need to be aware of.
+
+### Different superdomain per test requires `cy.origin` command
+
+Cypress changes its own host URL to match that of your applications. With the
+exception of `cy.origin`, Cypress requires that the URLs navigated to have the
+same superdomain for the entirety of a single test.
+
+If you attempt to visit two different superdomains, the `cy.origin` command must
+be used to wrap Cypress commands of the second visited domain. Otherwise,
+Cypress commands will timeout after the navigation and will eventually error.
+This is because the commands that were expected to run on the second domain are
+actually being run on the first domain.
+
+Without `cy.origin`, you can visit different superdomains in _different_ tests,
+but not in the _same_ test. Please read our
+[Cross Origin Testing Guide](/guides/guides/cross-origin-testing) for more
+information.
+
+Although Cypress tries to enforce this limitation, it is possible for your
+application to bypass Cypress's ability to detect this.
+
+#### Examples of test cases that will error without the use of `cy.origin`
+
+1. [`.click()`](/api/commands/click) an `<a>` with an `href` to a different
+   superdomain with subsequent Cypress commands being run.
+2. [`.submit()`](/api/commands/submit) a `<form>` that causes your web server to
+   redirect to you a different superdomain where additional Cypress commands are
+   run.
+3. Issue a JavaScript redirect in your application, such as
+   `window.location.href = '...'`, to a different superdomain where additional
+   Cypress commands are run.
+
+In each of these situations, Cypress will lose the ability to automate your
+application and will error via command timeout unless the `cy.origin` command is
+used.
+
+Read on to learn about
+[working around these common problems](/guides/guides/web-security#Common-Workarounds).
+
+### Cross-origin iframes
+
+If your site embeds an `<iframe>` that is a cross-origin frame, Cypress will not
+be able to automate or communicate with this `<iframe>`.
+
+#### Examples of uses for cross-origin iframes
+
+- Embedding a Vimeo or YouTube video.
+- Displaying a credit card form from Stripe or Braintree.
+- Displaying an embedded login form from Auth0.
+- Showing comments from Disqus.
+
+It's actually _possible_ for Cypress to accommodate these situations the same
+way Selenium does, but you will never have _native_ access to these iframes from
+inside of Cypress.
+
+As a workaround, you may be able to use
+[`window.postMessage`](https://developer.mozilla.org/en-US/docs/Web/API/Window/postMessage)
+to directly communicate with these iframes and control them (if the 3rd party
+iframe supports it).
+
+Other than that, you'll have to wait for us to implement APIs to support this
+(check our [open issue](https://github.com/cypress-io/cypress/issues/136)), or
+you can
+[disable web security](/guides/guides/web-security#Disabling-Web-Security).
+
+### Insecure Content
+
+Because of the way Cypress is designed, if you are testing an HTTPS site,
+Cypress will error anytime you attempt to navigate back to an HTTP site. This
+behavior helps highlight a _pretty serious security problem_ with your
+application.
+
+#### Example of accessing insecure content
+
+```javascript
+// Test code
+cy.visit('https://app.corp.com')
+```
+
+In your application code, you set `cookies` and store a session on the browser.
+Now let's imagine you have a single `insecure` link (or JavaScript redirect) in
+your application code.
+
+```html
+<!-- Application code -->
+<html>
+  <a href="http://app.corp.com/page2">Page 2</a>
+</html>
+```
+
+Cypress will immediately fail with the following test code:
+
+```javascript
+// Test code
+cy.visit('https://app.corp.com')
+cy.get('a').click() // will fail
+```
+
+Browsers refuse to display insecure content on a secure page. Because Cypress
+initially changed its URL to match `https://app.corp.com` when the browser
+followed the `href` to `http://app.corp.com/page2`, the browser will refuse to
+display the contents.
+
+Now you may be thinking, _This sounds like a problem with Cypress because when I
+work with my application outside of Cypress it works just fine._
+
+However, the truth is, Cypress is exposing a _security vulnerability_ in your
+application, and you _want_ it to fail in Cypress.
+
+`cookies` that do not have their `secure` flag set to `true` will be sent as
+clear text to the insecure URL. This leaves your application vulnerable to
+session hijacking.
+
+This security vulnerability exists **even if** your web server forces a
+`301 redirect` back to the HTTPS site. The original HTTP request was still made
+once, exposing insecure session information.
+
+#### The solution
+
+Update your HTML or JavaScript code to not navigate to an insecure HTTP page and
+instead only use HTTPS. Additionally make sure that cookies have their `secure`
+flag set to `true`.
+
+If you're in a situation where you don't control the code, or otherwise cannot
+work around this, you can bypass this restriction in Cypress by
+[disabling web security](/guides/guides/web-security#Disabling-Web-Security).
+
+### Same port per test
+
+Cypress requires that the URLs navigated to have the same port (if specified)
+for the entirety of a single test. This matches the behavior of the browser's
+normal
+[same-origin policy](https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy).
+
+## Common Workarounds
+
+Let's investigate how you might encounter cross-origin errors in your test code
+and break down how to work around them in Cypress.
+
+### External Navigation
+
+The most common situation where you might encounter this error is when you click
+on an `<a>` that navigates to another superdomain.
+
+```html
+<!-- Application code that is served at `localhost:8080` -->
+<html>
+  <a href="https://stackoverflow.com">Stack Overflow</a>
+</html>
+```
+
+```javascript
+// Test code
+cy.visit('http://localhost:8080') // where your web server + HTML is hosted
+cy.get('a').click() // browser navigates to https://stackoverflow.com
+cy.get('selector').should('exist') // Cypress errors
+```
+
+We do not recommend visiting a superdomain that you don't control in your tests
+which you can read more about
+[here](/guides/references/best-practices#Visiting-external-sites)
+
+However, if you control this superdomain, either by owning the hosted instance
+or by other means, we recommend testing this superdomain with `cy.origin`.
+
+```javascript
+// Test code
+cy.visit('http://localhost:8080') // where your web server + HTML is hosted
+cy.get('a').click() // browser navigates to https://stackoverflow.com
+cy.origin('https://stackoverflow.com', () => {
+  // declare cy.origin command on expected domain
+  cy.get('selector').should('exist') // Yup all good
+})
+```
+
+If not in control of this superdomain, like in the case of `stackoverflow.com`,
+we recommend you test that the `href` property is correct instead of performing
+the navigation. This will help lead to more deterministic tests.
+
+```javascript
+// this test verifies the behavior and will run considerably faster
+cy.visit('http://localhost:8080')
+cy.get('a').should('have.attr', 'href', 'https://stackoverflow.com') // no page load!
+```
+
+If for any reason the two above methods cannot be leveraged,
+[`cy.request()`](/api/commands/request) may be an option to verify content as
+[`cy.request()`](/api/commands/request) is _NOT bound to CORS or same-origin
+policy_.
+
+```javascript
+cy.visit('http://localhost:8080')
+cy.get('a').then(($a) => {
+  // pull off the fully qualified href from the <a>
+  const url = $a.prop('href')
+
+  // make a cy.request to it
+  cy.request(url).its('body').should('include', '</html>')
+})
+```
+
+### Form Submission Redirects
+
+When you submit a regular HTML form, the browser will follow the HTTP(s)
+request.
+
+```html
+<!-- Application code that is served at `localhost:8080`-->
+<html>
+  <form method="POST" action="/submit">
+    <input type="text" name="email" />
+    <input type="submit" value="Submit" />
+  </form>
+</html>
+```
+
+```javascript
+cy.visit('http://localhost:8080')
+cy.get('form').submit() // submit the form!
+```
+
+If your back end server handling the `/submit` route does a `30x` redirect to a
+different superdomain, you will need to use the `cy.origin` command if running
+additional Cypress commands after submitting the form.
+
+```javascript
+// imagine this is some node / express code
+// on your localhost:8080 server
+
+app.post('/submit', (req, res) => {
+  // redirect the browser to superduperdomains.com
+  res.redirect('https://superduperdomains.com')
+})
+```
+
+You can test this with `cy.origin`, which may look like the following test case:
+
+```javascript
+cy.visit('http://localhost:8080')
+cy.get('form').submit() // submit the form!
+cy.origin('https://superduperdomains.com', () => {
+  cy.url().should('contain', 'superduperdomains.com')
+})
+```
+
+A common use case for this is Single sign-on (SSO), OAuth, Open ID Connect
+(OIDC), or Authentication as a Service platforms, such as Auth0, Okta, Amazon
+Cognito, and others.
+
+In these situations, if controlling the domain under test, we recommend that you
+test these with `cy.origin`.
+
+```javascript
+cy.visit('http://localhost:8080')
+cy.get('#login').click() // click a login button, which takes us to our authentication page.
+cy.origin('https://my-authentication-instance.com', () => {
+  cy.get('#username').type('User1')
+  cy.get('#password').type('Password123')
+
+  // prompts a sign in that redirects to http://localhost:8080 with a token, cookie, or other means of acknowledgement
+  cy.get('button').contains('Sign In').click()
+})
+
+cy.get('#user-name-welcome').should('equal', 'Welcome, User1!')
+```
+
+If for any reason you cannot leverage `cy.origin`, programmatic authentication
+is still an option. In this situation you may `POST` to a different server and
+are redirected elsewhere (typically with the session token in the URL). If
+that's the case, you can still test this behavior with
+[`cy.request()`](/api/commands/request).
+
+In fact we can likely bypass the initial visit altogether and `POST` directly to
+your SSO server.
+
+```javascript
+cy.request('POST', 'https://sso.corp.com/auth', {
+  username: 'foo',
+  password: 'bar',
+}).then((response) => {
+  // pull out the location redirect
+  const loc = response.headers['Location']
+
+  // parse out the token from the url (assuming its in there)
+  const token = parseOutMyToken(loc)
+
+  // do something with the token that your web application expects
+  // likely the same behavior as what your SSO does under the hood
+  // assuming it handles query string tokens like this
+  cy.visit('http://localhost:8080?token=' + token)
+
+  // if you don't need to work with the token you can sometimes
+  // visit the location header directly
+  cy.visit(loc)
+})
+```
+
+### JavaScript Redirects
+
+When we say JavaScript Redirects we are talking about any kind of code that does
+something like this:
+
+```html
+<!-- Application code that is served at `localhost:8080` -->
+<html>
+  <button id="nav">Navigate to some.superdomain.com</button>
+  <script>
+    document.querySelector('#nav').addEventListener('click', () => {
+      window.location.href = 'http://some.superdomain.com'
+    })
+  </script>
+</html>
+```
+
+You can test this with `cy.origin`, which may look like the following test case:
+
+```javascript
+cy.visit('http://localhost:8080')
+cy.get('#nav').submit() // trigger a javascript redirect!
+cy.origin('http://some.superdomain.com', () => {
+  cy.url().should('contain', 'some.superdomain.com')
+})
+```
+
+### Cross-Origin Errors with `cy.origin`
+
+Sometimes, when using `cy.origin` and especially with websites that are not
+under your immediate test control, cross-origin errors may still tend to creep
+up. We don't recommend visiting or interacting with sites you
+[do not control](/guides/references/best-practices#Visiting-external-sites).
+However, if this is necessary, most of these issues can usually be remedied by
+either apply the [modify obstructive third-party code]() experimental flag or by
+[disabling web security](/guides/guides/web-security#Disabling-Web-Security).
+
+## Disabling Web Security
+
+So if you cannot work around any of the issues using the suggested workarounds
+above, including
+[modifying obstructive third-party code](/guides/guides/web-security#Modifying-Obstructive-Third-Party-Code)
+with `cy.origin`, you may want to disable web security.
+
+One last thing to consider here is that every once in a while we discover bugs
+in Cypress that lead to cross-origin errors that can otherwise be fixed. If you
+think you're experiencing a bug,
+[open an issue](https://github.com/cypress-io/cypress/issues/new/choose).
+
+<Alert type="warning">
+
+<strong class="alert-header">Chrome only</strong>
+
+Disabling web security is only supported in Chrome-based browsers. Settings in
+`chromeWebSecurity` will have no effect in other browsers. We will log a warning
+in this case.
+
+<DocsImage src="/img/guides/web-security/chrome-web-security-stdout-warning.jpg" alt='chromeWebSecurity warning in stdout'></DocsImage>
+
+If you rely on disabling web security, you will not be able to run tests on
+browsers that do not support this feature.
+
+</Alert>
+
+### Set `chromeWebSecurity` to `false`
+
+Setting `chromeWebSecurity` to `false` in Chrome-based browsers allows you to do
+the following:
+
+- Display insecure content
+- Navigate to any superdomain without cross-origin errors with or without
+  `cy.origin`
+- Access cross-origin iframes that are embedded in your application
+
+Still here? That's cool, let's disable web security!
+
+#### Set `chromeWebSecurity` to `false` in the [Cypress configuration](/guides/references/configuration)
+
+:::cypress-config-example
+
+```js
+{
+  chromeWebSecurity: false
+}
+```
+
+:::
+
+## Modifying Obstructive Third Party Code
+
+Cypress today has the concept of
+[modifying obstructive code](/guides/references/configuration#modifyObstructiveCode),
+which is code that may interfere with Cypress being able to run your web
+application. The `experimentalModifyObstructiveThirdPartyCode` flag provides the
+same benefits of the
+[modifyObstructiveCode](/guides/references/configuration#modifyObstructiveCode)
+flag, but additionally applies it to third-party `.js` and `.html` that is being
+either loaded or navigated to inside your application. In addition to this, this
+flag also does the following:
+
+- Adjusts the User Agent in Electron to appear more chrome-like. This option can
+  be overridden with the
+  [userAgent](http://localhost:3000/guides/references/configuration#Browser)
+  config option.
+- Removes
+  [Subresource Integrity (SRI)](https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity)
+  from modified scripts as they will not execute otherwise.
+- Updates the `Sec-Fetch-Dest` Metadata header from `iframe` to `document` in
+  cases where requests come from the application under test.
+
+Want to enable `experimentalModifyObstructiveThirdPartyCode`? Let's do it!
+
+:::cypress-config-example
+
+```js
+{
+  experimentalModifyObstructiveThirdPartyCode: true
+}
+```
+
+:::
diff --git a/content/guides/overview/key-differences.md b/content/guides/overview/key-differences.md
index a9969a1f35..ea86a88784 100644
--- a/content/guides/overview/key-differences.md
+++ b/content/guides/overview/key-differences.md
@@ -92,16 +92,18 @@ Trying to test hard to reach areas of your application? Don't like the side
 effects an action creates? Tired of repeating the same repetitive and slow
 actions over and over again? You can skip them for most test cases.
 
-Cypress prevents you from being forced to always 'act like a user' to generate
-the state of a given situation. With Cypress you can programmatically interact
-and control your application. You no longer have to use your UI to build up
-state.
-
-That means you do not have to visit a login page, type in a username and
-password and wait for the page to load and/or redirect for every test you run.
-Cypress gives you the ability to take shortcuts and programmatically log in.
-With commands like [`cy.request()`](/api/commands/request), you can send HTTP
-requests directly, yet have those requests synchronized with the browser.
+Cypress allows for browser context to be cached with
+[`cy.session()`](/api/commands/session). This means as a user, you only need to
+perform authentication once for the entirety of your test suite, and restore the
+saved session between each test. That means you do not have to visit a login
+page, type in a username and password and wait for the page to load and/or
+redirect for every test you run. You can accomplish this once with
+[`cy.session()`](/api/commands/session) and if needed,
+[`cy.origin()`](/api/commands/origin).
+
+Cypress also gives you the ability to take shortcuts and programmatically log
+in. With commands like [`cy.request()`](/api/commands/request), you can send
+HTTP requests directly, yet have those requests synchronized with the browser.
 Cookies are automatically sent and applied back. Worried about CORS? Don't be,
 it is completely bypassed. The power to choose when to test like a user and when
 to skip slow and repetitive parts is yours.
diff --git a/content/guides/references/best-practices.md b/content/guides/references/best-practices.md
index e9e95c38bb..6ab109cc8d 100644
--- a/content/guides/references/best-practices.md
+++ b/content/guides/references/best-practices.md
@@ -283,39 +283,58 @@ to visit or interact with sites or servers you do not control.
 <Alert type="success">
 
 <Icon name="check-circle" color="green"></Icon> **Best Practice:** Only test
-what you control. Try to avoid requiring a 3rd party server. When necessary,
-always use [`cy.request()`](/api/commands/request) to talk to 3rd party servers
-via their APIs.
+what you control. Try to avoid requiring a 3rd party server. When necessary, use
+[`cy.request()`](/api/commands/request) to talk to 3rd party servers via their
+APIs. If possible, cache results via [`cy.session()`](/api/commands/session) to
+avoid repeat visits.
 
 </Alert>
 
 One of the first things many of our users attempt to do is involve 3rd party
-servers in their tests.
+servers or services in their tests.
 
-You may want to access 3rd party servers in several situations:
+You may want to access 3rd party services in several situations:
 
 1. Testing log in when your app uses another provider via OAuth.
 2. Verifying your server updates a 3rd party server.
 3. Checking your email to see if your server sent a "forgot password" email.
 
-Initially you may be tempted to use [`cy.visit()`](/api/commands/visit) or use
-Cypress to traverse to the 3rd party login window.
-
-However, you should **never** use your UI or visit a 3rd party site when testing
-because:
-
-- It is incredibly time consuming and slows down your tests.
+Most of the time, these situations can be safely tested with
+[`cy.visit()`](/api/commands/visit) and [`cy.origin()`](/api/commands/origin).
+However, you will only want to utilize these commands for resources in your
+control, either by controlling the domain or hosted instance. These use cases
+are common for:
+
+- Authentication as a service platforms, such as Auth0, Okta, Microsoft, AWS
+  Cognito, and others via username/password authentication. These domains and
+  service instances are usually owned and controlled by you or your
+  organization.
+- CMS instances, such as a Contentful or Wordpress instance.
+- Other types of services under a domain in which you control.
+
+Other services, such as social logins through popular media providers, are not
+recommended. Social logins will likely work, especially if run locally. However,
+we consider this a bad practice and do not recommend it because:
+
+- It is incredibly time consuming and slows down your tests (unless using
+  [`cy.session()`](/api/commands/session)).
 - The 3rd party site may have changed or updated its content.
 - The 3rd party site may be having issues outside of your control.
 - The 3rd party site may detect you are testing via a script and block you.
+- The 3rd party site might have policies against automated login, leading to
+  banning of accounts.
+- The 3rd party site might detect you are a bot, and provide mechanisms such as
+  two-factor authentication, captchas, and other means to prevent automation.
+  This is common with continuous integration platforms and general automation.
 - The 3rd party site may be running A/B campaigns.
 
 Let's look at a few strategies for dealing with these situations.
 
 ### When logging in:
 
-Many OAuth providers run A/B experiments, which means that their login screen is
-dynamically changing. This makes automated testing difficult.
+Many OAuth providers, especially social logins, run A/B experiments, which means
+that their login screen is dynamically changing. This makes automated testing
+difficult.
 
 Many OAuth providers also throttle the number of web requests you can make to
 them. For instance, if you try to test Google, Google will **automatically**
@@ -328,19 +347,27 @@ affect other tests downstream.
 
 **Here are potential solutions to alleviate these problems:**
 
-1. [Stub](/api/commands/stub) out the OAuth provider and bypass using their UI
-   altogether. You could trick your application into believing the OAuth
-   provider has passed its token to your application.
-2. If you **must** get a real token you can use
-   [`cy.request()`](/api/commands/request) and use the **programmatic** API that
-   your OAuth provider provides. These APIs likely change **more** infrequently
-   and you avoid problems like throttling and A/B campaigns.
-3. Instead of having your test code bypass OAuth, you could also ask your server
+1. Use another platform that you control to log in with username and password
+   via [`cy.origin()`](/api/commands/origin). This likely guarantees that you
+   will not run into the problems listed above, while still being able to
+   automate your login flow. You can reduce the amount of authentication
+   requests by utilizing [`cy.session()`](/api/commands/session).
+2. [Stub](/api/commands/stub) out the OAuth provider and bypass it using their
+   UI altogether if [`cy.origin()`](/api/commands/origin) is not an option. You
+   could trick your application into believing the OAuth provider has passed its
+   token to your application.
+3. If you **must** get a real token and [`cy.origin()`](/api/commands/origin) is
+   not an option, you can use [`cy.request()`](/api/commands/request) and use
+   the **programmatic** API that your OAuth provider provides. These APIs likely
+   change **more** infrequently and you avoid problems like throttling and A/B
+   campaigns.
+4. Instead of having your test code bypass OAuth, you could also ask your server
    for help. Perhaps all an OAuth token does is generate a user in your
    database. Oftentimes OAuth is only useful initially and your server
    establishes its own session with the client. If that is the case, use
    [`cy.request()`](/api/commands/request) to get the session directly from your
-   server and bypass the provider altogether.
+   server and bypass the provider altogether if
+   [`cy.origin()`](/api/commands/origin) is not an option.
 
 <Alert type="info">
 
@@ -389,7 +416,7 @@ email's functionality and visual style:
   alt="The test finds and clicks the Confirm registration button"></DocsImage>
 
 3. In other cases, you should try using [`cy.request()`](/api/commands/request)
-   command to query the an endpoint on your server that tells you what email has
+   command to query the endpoint on your server that tells you what email has
    been queued or delivered. That would give you a programmatic way to know
    without involving the UI. Your server would have to expose this endpoint.
 4. You could also use `cy.request()` to a 3rd party email recipient server that
diff --git a/content/guides/references/configuration.md b/content/guides/references/configuration.md
index bce0d0d5a2..24a5d83ae4 100644
--- a/content/guides/references/configuration.md
+++ b/content/guides/references/configuration.md
@@ -759,6 +759,9 @@ not** implement these security measures. Additionally it's possible that the
 patterns we search for may accidentally rewrite valid JS code. If that's the
 case, please disable this option.
 
+Details for `experimentalModifyObstructiveThirdPartyCode` can be found
+[here](/guides/guides/web-security#Modifying-Obstructive-Third-Party-Code).
+
 ### setupNodeEvents
 
 The `setupNodeEvents` function allows you to tap into, modify, or extend the
diff --git a/content/guides/references/error-messages.md b/content/guides/references/error-messages.md
index 9bf7f07f2e..1808c8eed7 100644
--- a/content/guides/references/error-messages.md
+++ b/content/guides/references/error-messages.md
@@ -150,7 +150,7 @@ describe('detachment example', () => {
 })
 -->
 
-<DocsImage src="/img/guides/references/cy-method-failed-page-updated.png" alt="cy.method() failed because the page updated" ></DocsImage>
+<DocsImage src="/img/guides/references/cypress-method-failed-page-updated.png" alt="cy.method() failed because the page updated" ></DocsImage>
 
 Cypress errors because after a command, the subject becomes 'fixed' to a
 specific element - since it can't retry commands, if the element becomes
@@ -430,11 +430,29 @@ it('does not forget to return a promise', () => {
 
 ### <Icon name="exclamation-triangle" color="red"></Icon> `cy.visit()` failed because you are attempting to visit a second unique domain
 
-::include{file=partials/single-domain-workaround.md}
+<Alert>
+
+<strong class="alert-header">Note</strong>
+
+This error only pertains to Cypress version `v11.0.0` and under. As of Cypress
+[v12.0.0](https://on.cypress.io/changelog#12-0-0), users can navigate to
+multiple domains in a single test.
+
+</Alert>
+
+See our [Web Security](/guides/guides/web-security#Limitations) documentation.
 
 ### <Icon name="exclamation-triangle" color="red"></Icon> `cy.visit()` failed because you are attempting to visit a different origin domain
 
-::include{file=partials/single-domain-workaround.md}
+<Alert>
+
+<strong class="alert-header">Note</strong>
+
+This error only pertains to Cypress version `v11.0.0` and under. As of Cypress
+[v12.0.0](https://on.cypress.io/changelog#12-0-0), users can navigate to
+multiple domains in a single test.
+
+</Alert>
 
 Two URLs have the same origin if the `protocol`, `port` (if specified), and
 `host` are the same for both. You can only visit domains that are of the
@@ -446,6 +464,54 @@ You can visit urls that are of different origin across different tests, so you
 may consider splitting your `cy.visit()` of different origin domains into
 separate tests.
 
+See our [Web Security](/guides/guides/web-security#Limitations) documentation
+for more information and workarounds.
+
+### <Icon name="exclamation-triangle" color="red"></Icon> `cy.visit()` succeeded, but commands are timing out
+
+As of Cypress [v12.0.0](https://on.cypress.io/changelog#12-0-0), users can
+navigate to multiple domains in a single test. The following test will succeed
+as-is:
+
+```javascript
+it('navigates to docs.cypress.io', () => {
+  cy.visit('http://localhost:3000')
+  cy.visit('https://docs.cypress.io') // visit a different superdomain
+})
+```
+
+However, when the newly visited URL is not considered the same superdomain, the
+[`cy.origin()`](/api/commands/origin) command **must** be used to interact with
+the newly visited domain. The following test is incorrect:
+
+```javascript
+it('navigates to docs.cypress.io and runs additional commands', () => {
+  cy.visit('http://localhost:3000')
+  cy.visit('https://docs.cypress.io') // visit a different superdomain
+  cy.get('h1').should('contain', 'Why Cypress?') // fails
+})
+```
+
+And will result in the following error:
+
+<DocsImage src="/img/guides/references/cy-visit-subsequent-commands-timed-out.png" alt="cy.visit() subsequent commands timed out" ></DocsImage>
+
+In order to fix this, our `cy.get()` command **must** be wrapped with the
+[`cy.origin()`](/api/commands/origin) command, like so:
+
+```javascript
+it('navigates to docs.cypress.io and runs additional commands', () => {
+  cy.visit('http://localhost:3000')
+  cy.visit('https://docs.cypress.io') // visit a different superdomain
+  cy.origin('https://docs.cypress.io', () => {
+    cy.get('h1').should('contain', 'Why Cypress?') // now succeeds!
+  })
+})
+```
+
+See our [Web Security](/guides/guides/web-security#Limitations) documentation
+for more information and workarounds.
+
 ### <Icon name="exclamation-triangle" color="red"></Icon> `Cypress.addParentCommand()` / `Cypress.addDualCommand()` / `Cypress.addChildCommand()` has been removed and replaced by `Cypress.Commands.add()`
 
 In version [0.20.0](/guides/references/changelog), we removed the commands for
diff --git a/content/guides/references/legacy-configuration.md b/content/guides/references/legacy-configuration.md
index e90e738a85..0d11716cc0 100644
--- a/content/guides/references/legacy-configuration.md
+++ b/content/guides/references/legacy-configuration.md
@@ -117,7 +117,7 @@ For more options regarding screenshots, view the
 
 | Option                  | Default                              | Description                                                                                                                                                                                                                                                                                                                                                        |
 | ----------------------- | ------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| `chromeWebSecurity`     | `true`                               | Whether to enable Chromium-based browser's Web Security for same-origin policy and insecure mixed content.                                                                                                                                                                                                                                                         |
+| `chromeWebSecurity`     | `true`                               | Whether to enable Chromium-based browser's Web Security for same-origin policy and insecure mixed content. [Read more about Web Security](/guides/guides/web-security).                                                                                                                                                                                            |
 | `blockHosts`            | `null`                               | A String or Array of hosts that you wish to block traffic for. [Please read the notes for examples on using this.](#blockHosts)                                                                                                                                                                                                                                    |
 | `firefoxGcInterval`     | `{ "runMode": 1, "openMode": null }` | (Firefox 79 and below only) Controls whether Cypress forces Firefox to run garbage collection (GC) cleanup and how frequently. During [cypress run](/guides/guides/command-line#cypress-run), the default value is `1`. During [cypress open](/guides/guides/command-line#cypress-open), the default value is `null`. See full details [here](#firefoxGcInterval). |
 | `modifyObstructiveCode` | `true`                               | Whether Cypress will search for and replace obstructive JS code in `.js` or `.html` files. [Please read the notes for more information on this setting.](#modifyObstructiveCode)                                                                                                                                                                                   |
diff --git a/content/guides/references/trade-offs.md b/content/guides/references/trade-offs.md
index ed9e4737ee..4c7aa22f31 100644
--- a/content/guides/references/trade-offs.md
+++ b/content/guides/references/trade-offs.md
@@ -22,7 +22,10 @@ to have. In a sense they prevent you from writing bad, slow, or flaky tests.
 - There will never be support for [multiple browser tabs](#Multiple-tabs).
 - You cannot use Cypress to drive
   [two browsers at the same time](#Multiple-browsers-open-at-the-same-time).
-- Each test is bound to a [single origin](#Same-origin).
+- Each test is bound to a single superdomain. Cross-origin navigation inside
+  tests can be enabled by using the [`cy.origin`](/api/commands/origin) command.
+  Please read our
+  [Cross Origin Testing Guide](/guides/guides/cross-origin-testing).
 
 #### Temporary trade-offs:
 
diff --git a/content/partials/single-domain-workaround.md b/content/partials/single-domain-workaround.md
deleted file mode 100644
index 8e86e48114..0000000000
--- a/content/partials/single-domain-workaround.md
+++ /dev/null
@@ -1,10 +0,0 @@
-<Alert type="info">
-
-<strong class="alert-header">🎉 Workaround 🎉</strong>
-
-As of Cypress [v9.6.0](https://on.cypress.io/changelog#9-6-0), you can easily
-test multi-domain workflows in a single test by using the experimental
-[cy.origin()](https://on.cypress.io/origin) command. For more details, read
-[our blog post](https://cypress.io/blog/2022/04/25/cypress-9-6-0-easily-test-multi-domain-workflows-with-cy-origin/).
-
-</Alert>