Actually the to attribute shouldn't even be included.
It's perfectly ok to include the XML here instead of linking to an external site, in case it ever goes away in the future.
<!-- OUT -->
<iq to="localhost" type="set" id="40924263533590377" xmlns="jabber:client">
<!-- IN -->
<iq id="40924263533590377" type="error" xmlns="jabber:client" from="localhost">
My bad, double checked and it is working as expected (without "to" attribute).
I got confused by the fact that the bind request succeed with "local@domain" but not with "domain".
Not sure if it should be considered a bug though.
The bind request isn't technically a stanza, since you can't send stanzas until after resource binding. But it looks like an iq stanza for historical reasons.
Prosody is currently routing it as a normal iq stanza, but does not allow anything else until after resource binding. Internally, if a stanza has to='account bare jid', it removes the attribute to simplify later processing. This is why it's currently working when it actually should not. But then, the client MUST NOT send that.
I'm not opposed to making this stricter, but I would not consider it a priority.
One way to fix that would be https://hg.prosody.im/timber/rev/5d49c365f52c (as part of an experimental/incomplete break out of core routing code into a module).