diff options
Diffstat (limited to 'testing/web-platform/tests/html/browsers/origin/origin-keyed-agent-clusters/document-domain.sub.https.html')
| -rw-r--r-- | testing/web-platform/tests/html/browsers/origin/origin-keyed-agent-clusters/document-domain.sub.https.html | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/testing/web-platform/tests/html/browsers/origin/origin-keyed-agent-clusters/document-domain.sub.https.html b/testing/web-platform/tests/html/browsers/origin/origin-keyed-agent-clusters/document-domain.sub.https.html new file mode 100644 index 0000000000..b4535d9e54 --- /dev/null +++ b/testing/web-platform/tests/html/browsers/origin/origin-keyed-agent-clusters/document-domain.sub.https.html @@ -0,0 +1,52 @@ +<!DOCTYPE html> +<meta charset="utf-8"> +<title>Setting document.domain does not change same-originness when origin-keyed</title> +<script src="/resources/testharness.js"></script> +<script src="/resources/testharnessreport.js"></script> + +<!-- + Other tests check that using document.domain doesn't allow cross-origin + access. This test ensures a different, more subtle property: that + origin-keying makes document.domain into a no-op in other ways. +--> + +<iframe src="resources/frame.html"></iframe> +<iframe src="//{{domains[www1]}}:{{location[port]}}/html/browsers/origin/origin-keyed-agent-clusters/resources/frame.html"></iframe> + +<script type="module"> +setup({ explicit_done: true }); + +window.onload = () => { + test(() => { + // Normally, setting document.domain to itself would change the domain + // component of the origin. Since the iframe does *not* set document.domain, + // the two would then be considered cross-origin. + document.domain = document.domain; + + // However, because we're origin-keyed, this shouldn't have any impact. The + // test fails if this throws, and passes if it succeeds. + frames[0].document; + }, "Setting document.domain must not change same-originness"); + + test(() => { + assert_throws_dom("SecurityError", () => { + document.domain = "{{hosts[][nonexistent]}}"; + }); + }, "The registrable domain suffix check must happen before the bail-out"); + + async_test(t => { + frames[1].postMessage({ + type: "set document.domain", + newValue: "{{host}}" + }, "*"); + + window.onmessage = t.step_func_done(e => { + assert_equals(e.data.type, "new document.domain"); + assert_equals(e.data.result, "{{domains[www1]}}"); + }); + }, "Having an origin-keyed subdomain child try to set document.domain " + + "must not change the document.domain value it sees"); + + done(); +}; +</script> |