Origin isolation: make document.domain a no-op

Cross-origin access *via* document.domain is automatically prohibited
by the rest of the Chromium infrastructure. However, the other effects
of document.domain need to be explicitly no-op'ed.

Bug: 1042415
Change-Id: I1957c924f31c985d988988c06368323aa508a19c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2419144Reviewed-by: Yutaka Hirano <yhirano@chromium.org>
Commit-Queue: Domenic Denicola <domenic@chromium.org>
Cr-Commit-Position: refs/heads/master@{#809817}

third_party/blink/renderer/core/dom/document.cc

@@ -622,7 +622,6 @@ class Document::NetworkStateObserver final
     : public GarbageCollected<Document::NetworkStateObserver>,
       public NetworkStateNotifier::NetworkStateObserver,
       public ExecutionContextLifecycleObserver {
-
  public:
   explicit NetworkStateObserver(ExecutionContext* context)
       : ExecutionContextLifecycleObserver(context) {
@@ -5919,6 +5918,16 @@ void Document::setDomain(const String& raw_domain,
     return;
   }
 
+  if (RuntimeEnabledFeatures::OriginIsolationHeaderEnabled(dom_window_) &&
+      dom_window_->GetAgent()->IsOriginIsolated()) {
+    AddConsoleMessage(MakeGarbageCollected<ConsoleMessage>(
+        mojom::blink::ConsoleMessageSource::kSecurity,
+        mojom::blink::ConsoleMessageLevel::kWarning,
+        "document.domain mutation is ignored because the surrounding agent "
+        "cluster is origin-isolated."));
+    return;
+  }
+
   if (GetFrame()) {
     UseCounter::Count(*this,
                       dom_window_->GetSecurityOrigin()->Port() == 0

third_party/blink/web_tests/external/wpt/origin-isolation/document-domain.sub.https.html

+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>Setting document.domain does not change same-originness</title>
+<script src="/resources/testharness.js"></script>
+<script src="/resources/testharnessreport.js"></script>
+
+<!--
+  Other tests check that using document.domain doesn't allow cross-origin
+  access. This test ensures a different, more subtle property: that origin
+  isolation makes document.domain into a no-op in other ways.
+-->
+
+<iframe src="resources/frame.html"></iframe>
+
+<script type="module">
+setup({ explicit_done: true });
+
+window.onload = () => {
+  test(() => {
+    // Normally, setting document.domain to itself would change the domain
+    // component of the origin. Since the iframe does *not* set document.domain,
+    // the two would then be considered cross-origin.
+    document.domain = document.domain;
+
+    // However, because we're using origin isolation, this shouldn't have any
+    // impact. The test fails if this throws, and passes if it succeeds.
+    frames[0].document;
+  }, "Setting document.domain must not change same-originness");
+
+  test(() => {
+    assert_throws_dom("SecurityError", () => {
+      document.domain = "{{hosts[][nonexistent]}}";
+    });
+  }, "The registrable domain suffix check must happen before the bail-out");
+
+  done();
+};
+</script>

third_party/blink/web_tests/external/wpt/origin-isolation/document-domain.sub.https.html.headers

+Origin-Isolation: ?1

third_party/blink/web_tests/external/wpt/origin-isolation/resources/frame.html

+<!DOCTYPE html>
+<meta charset="utf-8">
+<title>A frame included by a test page</title>

third_party/blink/web_tests/external/wpt/origin-isolation/resources/frame.html.headers

+Origin-Isolation: ?1