From 6fbbf7a07b7e15aeaea24785d30c9a6e9b2b763b Mon Sep 17 00:00:00 2001
From: "J.C. Jones" <jc@mozilla.com>
Date: Thu, 16 Feb 2017 14:02:19 -0700
Subject: [PATCH] Refactor the document.domain attribute setter as a standalone
 algorithm

This is in response to W3C/HTML PR #769 (https://github.com/w3c/html/issues/769).

The Web Authentication WG's draft currently makes reference to the "Relaxing the
same-origin restriction" of the document.domain attribute setter as a way to let
relying parties use foo.bar.com to generate scoped credentials for bar.com.

However, 1) the attribute setter procedure isn't documented as an algorithm - so
we shouldn't call it like one, and 2) we need to override some of the ambient
state within it, by changing some of the values to be passed as arguments.

We had started some work to inline the procedure as an algorithim within our
document, but consensus is that it'd be better if we could avoid future
divergence by refactoring this part of the HTML spec instead.
---
 source | 79 +++++++++++++++++++++++++++++++++-------------------------
 1 file changed, 45 insertions(+), 34 deletions(-)

diff --git a/source b/source
index a02b4f19405..5e641c27f19 100644
--- a/source
+++ b/source
@@ -79482,48 +79482,19 @@ callback <dfn>FrameRequestCallback</dfn> = void (<span>DOMHighResTimeStamp</span
 
   </dl>
 
-  <div w-nodev>
-
-  <p>The <dfn><code data-x="dom-document-domain">domain</code></dfn> attribute's getter must run
-  these steps:</p>
+  <p>To <dfn data-export="">relax the same-origin restriction</dfn> for a Document <var>activeDocument</var> and a string <var>inputDomain</var>, the user agent must run these steps:</p>
 
   <ol>
-   <li><p>If this <code>Document</code> object does not have a <span
-   data-x="concept-document-bc">browsing context</span>, then return the empty string.
-
-   <li><p>Let <var>effectiveDomain</var> be this <code>Document</code>'s <span>origin</span>'s <span
-   data-x="concept-origin-effective-domain">effective domain</span>.
-
-   <li><p>If <var>effectiveDomain</var> is an <span data-x="concept-origin-opaque">opaque
-   origin</span>, then return the empty string.</p></li>
-
-   <li><p>Return <var>effectiveDomain</var>, <span data-x="host
-   serializer">serialized</span>.</p></li>
-  </ol>
-
-  <p>The <code data-x="dom-document-domain">domain</code> attribute's setter must run these
-  steps:</p>
-
-  <ol>
-   <li><p>If this <code>Document</code> object has no <span data-x="concept-document-bc">browsing
-   context</span>, then throw a <span>"<code>SecurityError</code>"</span>
-   <code>DOMException</code>.</p></li>
-
-   <li><p>If this <code>Document</code> object's <span>active sandboxing flag set</span> has its
-   <span>sandboxed <code data-x="dom-document-domain">document.domain</code> browsing context
-   flag</span> set, then throw a <span>"<code>SecurityError</code>"</span>
-   <code>DOMException</code>.</p></li>
-
-   <li><p>If the given value is the empty string, then throw a
+   <li><p>If <var>inputDomain</var> is the empty string, then throw a
    <span>"<code>SecurityError</code>"</span> <code>DOMException</code>.</p></li>
 
-   <li><p>Let <var>host</var> be the result of <span data-x="host parser">parsing</span> the given
-   value.</p></li>
+   <li><p>Let <var>host</var> be the result of <span data-x="host parser">parsing</span> the
+   <var>inputDomain</var>.</p></li>
 
    <li><p>If <var>host</var> is failure, then throw a <span>"<code>SecurityError</code>"</span>
    <code>DOMException</code>.</p></li>
 
-   <li><p>Let <var>effectiveDomain</var> be this <code>Document</code> object's
+   <li><p>Let <var>effectiveDomain</var> be <var>activeDocument</var>'s
    <span>origin</span>'s <span data-x="concept-origin-effective-domain">effective
    domain</span>.</p></li>
 
@@ -79556,6 +79527,45 @@ callback <dfn>FrameRequestCallback</dfn> = void (<span>DOMHighResTimeStamp</span
     </ol>
    </li>
 
+   <li><p>Return <var>host</var>.</p></li>
+  </ol>
+
+  <div w-nodev>
+
+  <p>The <dfn><code data-x="dom-document-domain">domain</code></dfn> attribute's getter must run
+  these steps:</p>
+
+  <ol>
+   <li><p>If this <code>Document</code> object does not have a <span
+   data-x="concept-document-bc">browsing context</span>, then return the empty string.
+
+   <li><p>Let <var>effectiveDomain</var> be this <code>Document</code>'s <span>origin</span>'s <span
+   data-x="concept-origin-effective-domain">effective domain</span>.
+
+   <li><p>If <var>effectiveDomain</var> is an <span data-x="concept-origin-opaque">opaque
+   origin</span>, then return the empty string.</p></li>
+
+   <li><p>Return <var>effectiveDomain</var>, <span data-x="host
+   serializer">serialized</span>.</p></li>
+  </ol>
+
+  <p>The <code data-x="dom-document-domain">domain</code> attribute's setter must run these
+  steps:</p>
+
+  <ol>
+   <li><p>If this <code>Document</code> object has no <span data-x="concept-document-bc">browsing
+   context</span>, then throw a <span>"<code>SecurityError</code>"</span>
+   <code>DOMException</code>.</p></li>
+
+   <li><p>If this <code>Document</code> object's <span>active sandboxing flag set</span> has its
+   <span>sandboxed <code data-x="dom-document-domain">document.domain</code> browsing context
+   flag</span> set, then throw a <span>"<code>SecurityError</code>"</span>
+   <code>DOMException</code>.</p></li>
+
+   <li><p>Let <var>host</var> be the result of <span data-x="relax the same-origin restriction">
+   relaxing the same-origin restriction</span> with this <code>Document</code> object as
+   <var>activeDocument</var> and the given value as <var>inputDomain</var>.</p></li>
+
    <li><p>Set this <code>Document</code> object's <span>origin</span>'s <span
    data-x="concept-origin-domain">domain</span> to <var>host</var>.</p></li>
   </ol>
@@ -119631,6 +119641,7 @@ INSERT INTERFACES HERE
   Ivan Enderlin,
   Ivo Emanuel Gon&ccedil;alves,
   J. King,
+  J.C. Jones,
   Jackson Ray Hamilton,
   Jacob Davies,
   Jacques Distler,