2.1.98 [W3C-HTML51] Section 6.4.1 Relaxing the same-origin restriction

V0417: No SecurityError exceptiont is thrown under specific circumstances

The specification states:

 6.4.1. Relaxing the same-origin restriction
     ...
     The domain attribute on setting must run these steps:
  
         1.  If this Document object has no browsing context, throw a "SecurityError" 
             DOMException.
         2.  If this Document object’s active sandboxing flag set has its sandboxed 
             document.domain
             browsing context flag set, then throw a "SecurityError" DOMException.
         3.  If the given value is the empty string, then throw a "SecurityError" 
             DOMException.
         4.  Let host be the result of parsing the given value.
         5.  If host is failure, then throw a "SecurityError" DOMException.
         6.  Let effectiveDomain be this Document object’s origin’s effective domain.
         7.  If host is not equal to effectiveDomain, then run these substeps:
             1.  If host or effectiveDomain is not domain, then throw a "SecurityError" 
                 DOMException.
                 NOTE:
                 This is meant to exclude hosts that are an IPv4 address or an IPv6 
                 address. 
             2.  If host, prefixed by a U+002E FULL STOP (.), does not exactly match the 
                 effectiveDomain, 
                 then throw a "SecurityError" DOMException.
             3.  If host matches a suffix in the Public Suffix List, or, if host, prefixed 
                 by a U+002E FULL STOP (.),
                 matches the end of a suffix in the Public Suffix List, then throw a 
                 "SecurityError" DOMException. [PSL]
                 Suffixes must be compared after applying the host parser algorithm. [URL]
         8.  Set origin’s domain to host.

EdgeHTML Mode

No SecurityError exception is thrown if: there is no browsing context, the sandbox flag is set, and the new value is not exactly equal to the current value of document.domain.