Check browsing context before set document.domain

According to spec[1], when document object doesn't have browsing context, it should throw a "SecurityError" DOMException. [1] https://html.spec.whatwg.org/multipage/origin.html#dom-document-domain BUG=850432 Change-Id: Ibc12decadb2405bb5f3b190d60ad65e1ee21303b Reviewed-on: https://chromium-review.googlesource.com/1112937Reviewed-by: Kent Tamura <tkent@chromium.org> Commit-Queue: Kent Tamura <tkent@chromium.org> Cr-Commit-Position: refs/heads/master@{#569942}

Check browsing context before set document.domain
According to spec[1], when document object doesn't have browsing context, it should throw a "SecurityError" DOMException. [1] https://html.spec.whatwg.org/multipage/origin.html#dom-document-domain BUG=850432 Change-Id: Ibc12decadb2405bb5f3b190d60ad65e1ee21303b Reviewed-on: https://chromium-review.googlesource.com/1112937Reviewed-by: Kent Tamura <tkent@chromium.org> Commit-Queue: Kent Tamura <tkent@chromium.org> Cr-Commit-Position: refs/heads/master@{#569942}
5dd78c18 · Sunny · Commit Bot · 7ed4cd1f · 7ed4cd1f · 7ed4cd1f
Commit 5dd78c18 authored Jun 25, 2018 by Sunny Committed by Commit Bot Jun 25, 2018
3 changed files
--- a/third_party/WebKit/LayoutTests/external/wpt/html/browsers/origin/relaxing-the-same-origin-restriction/document_domain_setter-expected.txt
+++ b/third_party/WebKit/LayoutTests/external/wpt/html/browsers/origin/relaxing-the-same-origin-restriction/document_domain_setter-expected.txt
-This is a testharness.js-based test.
-PASS failed setting of document.domain
-PASS same-origin-domain iframe
-FAIL failed setting of document.domain for documents without browsing context assert_throws: function "() => { (new Document).domain = document.domain }" did not throw
-Harness: the test ran to completion.
-
--- a/third_party/WebKit/LayoutTests/external/wpt/html/browsers/origin/relaxing-the-same-origin-restriction/sandboxed-document_domain-expected.txt
+++ b/third_party/WebKit/LayoutTests/external/wpt/html/browsers/origin/relaxing-the-same-origin-restriction/sandboxed-document_domain-expected.txt
-This is a testharness.js-based test.
-PASS Sandboxed document.domain
-FAIL Sandboxed document.domain 1 assert_throws: function "() => { (new Document).domain = document.domain }" did not throw
-FAIL Sandboxed document.domain 2 assert_throws: function "() => { document.implementation.createHTMLDocument().domain = document.domain }" did not throw
-FAIL Sandboxed document.domain 3 assert_throws: function "() => { document.implementation.createDocument(null, "").domain = document.domain }" did not throw
-PASS Sandboxed document.domain 4
-Harness: the test ran to completion.
-
--- a/third_party/blink/renderer/core/dom/document.cc
+++ b/third_party/blink/renderer/core/dom/document.cc
@@ -5253,6 +5253,12 @@ void Document::setDomain(const String& raw_domain,
                         ExceptionState& exception_state) {
  UseCounter::Count(*this, WebFeature::kDocumentSetDomain);

+  if (!frame_) {
+    exception_state.ThrowSecurityError(
+        "A browsing context is required to set a domain.");
+    return;
+  }
+
  if (IsSandboxed(kSandboxDocumentDomain)) {
    exception_state.ThrowSecurityError(
        "Assignment is forbidden for sandboxed iframes.");