Google Git
Sign in
chromium / chromium / src.git / 5dd78c188ba259d86af6ee12bb26fca4156880ae^! / .
commit5dd78c188ba259d86af6ee12bb26fca4156880ae[log] [tgz]
authorSunny <ratsunny@gmail.com>Mon Jun 25 00:15:26 2018
committerCommit Bot <commit-bot@chromium.org>Mon Jun 25 00:15:26 2018
treea59e076523a07655f583295d3be3dc12ab77fa25
parent7ed4cd1f125806d9c01e877bca5645bd10275fb3 [diff]
Check browsing context before set document.domain

According to spec[1], when document object doesn't have browsing
context, it should throw a "SecurityError" DOMException.

[1] https://html.spec.whatwg.org/multipage/origin.html#dom-document-domain

BUG=850432

Change-Id: Ibc12decadb2405bb5f3b190d60ad65e1ee21303b
Reviewed-on: https://chromium-review.googlesource.com/1112937
Reviewed-by: Kent Tamura <tkent@chromium.org>
Commit-Queue: Kent Tamura <tkent@chromium.org>
Cr-Commit-Position: refs/heads/master@{#569942}
diff --git a/third_party/WebKit/LayoutTests/external/wpt/html/browsers/origin/relaxing-the-same-origin-restriction/document_domain_setter-expected.txt b/third_party/WebKit/LayoutTests/external/wpt/html/browsers/origin/relaxing-the-same-origin-restriction/document_domain_setter-expected.txt
deleted file mode 100644
index cde3a440..0000000
--- a/third_party/WebKit/LayoutTests/external/wpt/html/browsers/origin/relaxing-the-same-origin-restriction/document_domain_setter-expected.txt
+++ /dev/null

@@ -1,6 +0,0 @@
-This is a testharness.js-based test.
-PASS failed setting of document.domain
-PASS same-origin-domain iframe
-FAIL failed setting of document.domain for documents without browsing context assert_throws: function "() => { (new Document).domain = document.domain }" did not throw
-Harness: the test ran to completion.
-

diff --git a/third_party/WebKit/LayoutTests/external/wpt/html/browsers/origin/relaxing-the-same-origin-restriction/sandboxed-document_domain-expected.txt b/third_party/WebKit/LayoutTests/external/wpt/html/browsers/origin/relaxing-the-same-origin-restriction/sandboxed-document_domain-expected.txt
deleted file mode 100644
index 90827ec..0000000
--- a/third_party/WebKit/LayoutTests/external/wpt/html/browsers/origin/relaxing-the-same-origin-restriction/sandboxed-document_domain-expected.txt
+++ /dev/null

@@ -1,8 +0,0 @@
-This is a testharness.js-based test.
-PASS Sandboxed document.domain
-FAIL Sandboxed document.domain 1 assert_throws: function "() => { (new Document).domain = document.domain }" did not throw
-FAIL Sandboxed document.domain 2 assert_throws: function "() => { document.implementation.createHTMLDocument().domain = document.domain }" did not throw
-FAIL Sandboxed document.domain 3 assert_throws: function "() => { document.implementation.createDocument(null, "").domain = document.domain }" did not throw
-PASS Sandboxed document.domain 4
-Harness: the test ran to completion.
-

diff --git a/third_party/blink/renderer/core/dom/document.cc b/third_party/blink/renderer/core/dom/document.cc
index 7c51b59..5d2e779 100644
--- a/third_party/blink/renderer/core/dom/document.cc
+++ b/third_party/blink/renderer/core/dom/document.cc

@@ -5253,6 +5253,12 @@
                          ExceptionState& exception_state) {
   UseCounter::Count(*this, WebFeature::kDocumentSetDomain);
 
+  if (!frame_) {
+    exception_state.ThrowSecurityError(
+        "A browsing context is required to set a domain.");
+    return;
+  }
+
   if (IsSandboxed(kSandboxDocumentDomain)) {
     exception_state.ThrowSecurityError(
         "Assignment is forbidden for sandboxed iframes.");