Tie document.domain to a new policy-controlled feature

This patch introduces the 'document-domain' policy-controlled feature, and updates the document.domain setter to rely upon it. If the policy-controlled feature is disabled, the setter will throw a "SecurityError" DOMException. The getter is unaffected. Closes w3c/webappsec-permissions-policy#241.
whatwg · Nov 14, 2018 · 33b566f · 33b566f
1 parent 9faa107
commit 33b566f
Showing 1 changed file with 7 additions and 0 deletions.
diff --git a/source b/source
@@ -4377,6 +4377,9 @@ a.setAttribute('href', 'https://example.com/'); // change the content attribute
     <li>"<dfn data-x="autoplay-feature"><code data-x="">autoplay</code></dfn>", which has a <span
     data-x="concept-default-allowlist">default allowlist</span> of <code
     data-x="">'self'</code>.</li>
+    <li>"<dfn data-x="document-domain-feature"><code data-x="">document-domain</code></dfn>", which
+    has a <span data-x="concept-default-allowlist">default allowlist</span> of <code
+    data-x="">*</code>.</li>
   </ul>
 
 
@@ -79765,6 +79768,10 @@ interface <dfn>BarProp</dfn> {
    flag</span> set, then throw a <span>"<code>SecurityError</code>"</span>
    <code>DOMException</code>.</p></li>
 
+   <li><p>If this <code>Document</code> object is not <span>allowed to use</span> the "<code
+   data-x="document-domain-feature">document-domain</code>" feature, then throw a
+   <span>"<code>SecurityError</code>"</span> <code>DOMException</code>.</p></li>
+
    <li><p>Let <var>effectiveDomain</var> be this <code>Document</code> object's
    <span>origin</span>'s <span data-x="concept-origin-effective-domain">effective domain</span>.