1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
|
<!DOCTYPE html>
<meta charset="utf-8">
<title>Setting document.domain does not change same-originness when origin-keyed</title>
<script src="/resources/testharness.js"></script>
<script src="/resources/testharnessreport.js"></script>
<!--
Other tests check that using document.domain doesn't allow cross-origin
access. This test ensures a different, more subtle property: that
origin-keying makes document.domain into a no-op in other ways.
-->
<iframe src="resources/frame.html"></iframe>
<iframe src="//{{domains[www1]}}:{{location[port]}}/html/browsers/origin/origin-keyed-agent-clusters/resources/frame.html"></iframe>
<script type="module">
setup({ explicit_done: true });
window.onload = () => {
test(() => {
// Normally, setting document.domain to itself would change the domain
// component of the origin. Since the iframe does *not* set document.domain,
// the two would then be considered cross-origin.
document.domain = document.domain;
// However, because we're origin-keyed, this shouldn't have any impact. The
// test fails if this throws, and passes if it succeeds.
frames[0].document;
}, "Setting document.domain must not change same-originness");
test(() => {
assert_throws_dom("SecurityError", () => {
document.domain = "{{hosts[][nonexistent]}}";
});
}, "The registrable domain suffix check must happen before the bail-out");
async_test(t => {
frames[1].postMessage({
type: "set document.domain",
newValue: "{{host}}"
}, "*");
window.onmessage = t.step_func_done(e => {
assert_equals(e.data.type, "new document.domain");
assert_equals(e.data.result, "{{domains[www1]}}");
});
}, "Having an origin-keyed subdomain child try to set document.domain " +
"must not change the document.domain value it sees");
done();
};
</script>
|
