2.1.107 [HTML5:2014] Section 5.3.1 Relaxing the same-origin restriction
V0254: No SecurityError exceptiont is thrown if there is no browsing context et al.
The specification states:
-
5.3.1 Relaxing the same-origin restriction ... On setting, the user agent must run the following algorithm: 1. If the Document has no browsing context, throw a SecurityError exception and abort these steps. 2. If the Document's active sandboxing flag set has its sandboxed document.domain browsing context flag set, throw a SecurityError exception and abort these steps. 3. If the new value is an IPv4 or IPv6 address, let new value be the new value. Otherwise, apply the IDNA ToASCII algorithm to the new value, with both the AllowUnassigned and UseSTD3ASCIIRules flags set, and let new value be the result of the ToASCII algorithm. If ToASCII fails to convert one of the components of the string, e.g. because it is too long or because it contains invalid characters, then throw a SecurityError exception and abort these steps. [RFC5890] 4. If new value is not exactly equal to the current value of the document.domain attribute, then run these substeps: 1. If the current value is an IPv4 or IPv6 address, throw a SecurityError exception and abort these steps. 2. If new value, prefixed by a "." (U+002E), does not exactly match the end of the current value, throw a SecurityError exception and abort these steps. Note: If the new value is an IPv4 or IPv6 address, it cannot match the new value in this way and thus an exception will be thrown here. 3. If new value matches a suffix in the Public Suffix List, or, if new value, prefixed by a "." (U+002E), matches the end of a suffix in the Public Suffix List, then throw a SecurityError exception and abort these steps. [PSL]
All document modes (All versions)
No SecurityError exception is
thrown if: there is no browsing context, the sandbox flag is set, and the new
value is not exactly equal to the current value of document.domain.