Bug w3c#256 - Clarify call of the "Relaxing the Same-Origin Restricti…

…on" algorithm This is an alternative to PR w3c#314 which inlines the "Relaxing the Same-Origin Restriction" algorithm within our document. Instead, this clarifies: 1) That the setter should be called on the current Document 2) That the active sandboxing flag set should be empty when the algorithm runs 3) Thrown errors should be used in the promise, not occluded Note: This version **permits** earlier set operations to `document.domain` to affect the outcome of the algorithm, in contrast to PR w3c#314 (at this time). This is mostly because the language is more natural here, but either PR could be changed to honor earlier set operations -- or not.
jcjones · Jan 6, 2017 · 0c8326e · 0c8326e
1 parent e5c895f
commit 0c8326e
Showing 1 changed file with 10 additions and 9 deletions.
diff --git a/index.bs b/index.bs
@@ -47,6 +47,7 @@ spec: HTML51; urlPrefix: http://www.w3.org/TR/html51/; for: web
             text: opaque origin; url: opaque-origin; for:web
             text: tuple origin
             text: relaxing the same-origin restriction
+            text: active sandboxing flag set
     type: dfn
         urlPrefix: webappapis.html;
             text: current settings object; for:web; url:current-settings-object
@@ -162,7 +163,8 @@ This specification relies on several other underlying specifications.
 
 : HTML
 :: The concepts of <a link-for='web'>current settings object</a>, <a link-for='web'>origin</a>,
-    <a link-for='web'>opaque origin</a>, <a>relaxing the same-origin restriction</a>, and the <a>Navigator</a> interface are
+    <a link-for='web'>opaque origin</a>, <a>relaxing the same-origin restriction</a>,
+    <a>active sandboxing flag set</a>, and the <a>Navigator</a> interface are
     defined in [[!HTML51]].
 
 : Web IDL
@@ -411,10 +413,9 @@ When this method is invoked, the user agent MUST execute the following algorithm
         and |rpIdHash| to the SHA-256 hash of |rpId|.
     - If the {{ScopedCredentialOptions/rpId}} member of {{options}} is <a>present</a>, then invoke the procedure used for 
         <a>relaxing the same-origin
-        restriction</a> by setting the `document.domain` attribute, using {{ScopedCredentialOptions/rpId}} as the given value
-        but without changing the current document's `domain`. If no errors are thrown, set |rpId| to the value of `host` as
-        computed by this procedure, and |rpIdHash| to the SHA-256 hash of the <a>UTF-8 encoding</a> of |rpId|. Otherwise, reject |promise| with a
-        <a>DOMException</a> whose name is "SecurityError", and terminate this algorithm.
+        restriction</a> by setting the `document.domain` attribute on the current <a>Document</a>, using {{ScopedCredentialOptions/rpId}} as the given value,
+        and with the document's <a>active sandboxing flag set</a> set to the empty set, but without changing the document's `domain`. If no errors are thrown, set |rpId| to the value of `host` as
+        computed by this procedure, and |rpIdHash| to the SHA-256 hash of the <a>UTF-8 encoding</a> of |rpId|. Otherwise, reject |promise| with the thrown error, and terminate this algorithm.
 
 4. Process each element of {{cryptoParameters}} using the following steps, to produce a new sequence |normalizedParameters|.
     - Let |current| be the currently selected element of {{cryptoParameters}}.
@@ -506,10 +507,10 @@ When this method is invoked, the user agent MUST execute the following algorithm
     - If the {{AssertionOptions/rpId}} member of {{options}} is not <a>present</a>, then set |rpId| to |callerOrigin|, and 
         |rpIdHash| to the SHA-256 hash of the UTF-8 encoding of |rpId|.
     - If the {{AssertionOptions/rpId}} member of {{options}} is <a>present</a>, then invoke the procedure used for <a>relaxing 
-        the same-origin restriction</a> by setting the `document.domain` attribute, using {{AssertionOptions/rpId}} as the given
-        value but without changing the current document's `domain`. If no errors are thrown, set |rpId| to the value of `host`
-        as computed by this procedure, and |rpIdHash| to the SHA-256 hash of the UTF-8 encoding of |rpId|. Otherwise, reject 
-        |promise| with a <a>DOMException</a> whose name is "SecurityError", and terminate this algorithm.
+        the same-origin restriction</a> by setting the `document.domain` attribute on the current <a>Document</a>, using {{AssertionOptions/rpId}} as the given
+        value, and with the document's <a>active sandboxing flag set</a> set to the empty set, but without changing the current document's `domain`. If no errors are thrown, set |rpId| to the value of `host`
+        as computed by this procedure, and |rpIdHash| to the SHA-256 hash of the UTF-8 encoding of |rpId|. Otherwise, reject
+        |promise| with with the thrown error, and terminate this algorithm.
 
 4. If the {{AssertionOptions/extensions}} member of {{options}} is <a>present</a>, process any extensions supported by this 
     client platform, to produce the extension data that needs to be sent to the authenticator. If an error is encountered while