document-domain.sub.https.html (1860B)
1 <!DOCTYPE html> 2 <meta charset="utf-8"> 3 <title>Setting document.domain does not change same-originness when origin-keyed</title> 4 <script src="/resources/testharness.js"></script> 5 <script src="/resources/testharnessreport.js"></script> 6 7 <!-- 8 Other tests check that using document.domain doesn't allow cross-origin 9 access. This test ensures a different, more subtle property: that 10 origin-keying makes document.domain into a no-op in other ways. 11 --> 12 13 <iframe src="resources/frame.html"></iframe> 14 <iframe src="//{{domains[www1]}}:{{location[port]}}/html/browsers/origin/origin-keyed-agent-clusters/resources/frame.html"></iframe> 15 16 <script type="module"> 17 setup({ explicit_done: true }); 18 19 window.onload = () => { 20 test(() => { 21 // Normally, setting document.domain to itself would change the domain 22 // component of the origin. Since the iframe does *not* set document.domain, 23 // the two would then be considered cross-origin. 24 document.domain = document.domain; 25 26 // However, because we're origin-keyed, this shouldn't have any impact. The 27 // test fails if this throws, and passes if it succeeds. 28 frames[0].document; 29 }, "Setting document.domain must not change same-originness"); 30 31 test(() => { 32 assert_throws_dom("SecurityError", () => { 33 document.domain = "{{hosts[][nonexistent]}}"; 34 }); 35 }, "The registrable domain suffix check must happen before the bail-out"); 36 37 async_test(t => { 38 frames[1].postMessage({ 39 type: "set document.domain", 40 newValue: "{{host}}" 41 }, "*"); 42 43 window.onmessage = t.step_func_done(e => { 44 assert_equals(e.data.type, "new document.domain"); 45 assert_equals(e.data.result, "{{domains[www1]}}"); 46 }); 47 }, "Having an origin-keyed subdomain child try to set document.domain " + 48 "must not change the document.domain value it sees"); 49 50 done(); 51 }; 52 </script>