Comment 4 for bug 1431015

The assertion being made by OP is that the domain which owns the scoped project should become the domain upon which the action is performed, but I would consider that behavior to be a privilege escalation vulnerability. The user is presenting explicit domain-level authorization on a domain-level resource, and would thus be circumventing the intended policy.json behavior.