diff --git a/index.bs b/index.bs
index e5b837f97..a709d77ba 100644
--- a/index.bs
+++ b/index.bs
@@ -47,10 +47,20 @@ spec: HTML51; urlPrefix: http://www.w3.org/TR/html51/; for: web
text: opaque origin; url: opaque-origin; for:web
text: tuple origin
text: relaxing the same-origin restriction
+ text: domain; url: origin-domain
type: dfn
urlPrefix: webappapis.html;
text: current settings object; for:web; url:current-settings-object
text: Navigator; for: interface; url:the-navigator-object
+
+
+spec: URL; urlPrefix: https://url.spec.whatwg.org/; for: url
+ type: dfn
+ text: host parser; url: concept-host-parser
+ text: domain; url: concept-domain
+ text: host; url: origin-host
+ text: IPv4 address; url: concept-ipv4
+ text: IPv6 address; url: concept-ipv6
@@ -397,9 +407,8 @@ When this method is invoked, the user agent MUST execute the following algorithm
terminate this algorithm. Otherwise,
- If {{ScopedCredentialOptions/rpId}} is not specified, then set |rpId| to |callerOrigin|, and |rpIdHash| to the SHA-256
hash of |rpId|.
- - If {{ScopedCredentialOptions/rpId}} is specified, then invoke the procedure used for relaxing the same-origin
- restriction by setting the `document.domain` attribute, using {{ScopedCredentialOptions/rpId}} as the given value
- but without changing the current document's `domain`. If no errors are thrown, set |rpId| to the value of `host` as
+ - If {{ScopedCredentialOptions/rpId}} is specified, then invoke the [[#algo-relax-same-origin-restriction]],
+ using {{ScopedCredentialOptions/rpId}}. If no errors are thrown, set |rpId| to the value of `host` as
computed by this procedure, and |rpIdHash| to the SHA-256 hash of |rpId|. Otherwise, reject |promise| with a
DOMException whose name is "SecurityError", and terminate this algorithm.
@@ -493,11 +502,10 @@ When this method is invoked, the user agent MUST execute the following algorithm
terminate this algorithm. Otherwise,
- If {{AssertionOptions/rpId}} is not specified, then set |rpId| to |callerOrigin|, and |rpIdHash| to the SHA-256
hash of |rpId|.
- - If {{AssertionOptions/rpId}} is specified, then invoke the procedure used for relaxing the same-origin restriction
- by setting the `document.domain` attribute, using {{AssertionOptions/rpId}} as the given value but without changing the
- current document's `domain`. If no errors are thrown, set |rpId| to the value of `host` as computed by this procedure,
- and |rpIdHash| to the SHA-256 hash of |rpId|. Otherwise, reject |promise| with a DOMException whose name is
- "SecurityError", and terminate this algorithm.
+ - If {{AssertionOptions/rpId}} is specified, then invoke the [[#algo-relax-same-origin-restriction]], using
+ {{AssertionOptions/rpId}} as the given value. If no errors are thrown, set |rpId| to the value of `host` as computed
+ by this procedure, and |rpIdHash| to the SHA-256 hash of |rpId|. Otherwise, reject |promise| with a DOMException
+ whose name is "SecurityError", and terminate this algorithm.
4. If {{AssertionOptions/extensions}} was specified, process any extensions supported by this client platform, to produce the
extension data that needs to be sent to the authenticator. If an error is encountered while processing an extension, skip
@@ -1508,7 +1516,38 @@ used to help facilitate isolating problems with a specific version of a device.
If the attestation root certificate is not dedicated to a single WebAuthn Authenticator device line (i.e., AAGUID), the AAGUID
should be specified in the attestation certificate itself, so that it can be verified against the authenticatorData.
+## Algorithm to Relax the Same-Origin Restriction ## {#algo-relax-same-origin-restriction}
+
+The same-origin policy prevents web applications from interacting, unless they both have the same origin. HTML5, via
+the `document.domain` attribute, permits "relaxing" this same-origin restriction under certain circumstances. This
+algorithm implements a similar procedure that of setting the `document.domain` attribute from [[!HTML51]], but without
+modifying the Document object:
+
+1. If this Document object has no browsing context, throw a "SecurityError" DOMException.
+2. If this Document object’s active sandboxing flag set has its sandboxed `document.domain` browsing context
+ flag set, then throw a "SecurityError" DOMException.
+3. If the given value is the empty string, then throw a "SecurityError" DOMException.
+4. Let |host| be the result of parsing the given value.
+5. If |host| is failure, then throw a "SecurityError" DOMException.
+6. Let |originalDomain| be this Document object’s origin’s original `domain`,
+ assigned when the Document is created.
+
+ Note: The |originalDomain| should not be affected by prior calls to the Document object’s
+ `domain` setter.
+7. If |host| is not equal to |originalDomain|, then run these substeps:
+ 1. If |host| or |originalDomain| is not a `domain`, then throw a "SecurityError" DOMException.
+
+ Note: This is meant to exclude hosts that are an IPv4 address or an
+ IPv6 address.
+
+ 2. If |host|, prefixed by a U+002E FULL STOP (.), does not exactly match the end of |originalDomain|, then throw a
+ "SecurityError" DOMException.
+ 3. If |host| matches a suffix in the Public Suffix List, or, if |host|, prefixed by a U+002E FULL STOP (.), matches the
+ end of a suffix in the Public Suffix List, then throw a "SecurityError" DOMException. [[!PSL]]
+
+ Suffixes must be compared after applying the host parser algorithm.
+8. Return |host|.
# Defined Attestation Formats # {#defined-attestation-formats}
@@ -2659,6 +2698,12 @@ Brad Hill, Jing Jin, Anne van Kesteren, Giridhar Mandyam, Axel Nennker, Yaron Sh
"status": "FIDO Alliance Proposed Standard"
},
+ "PSL": {
+ "title": "Public Suffix List",
+ "publisher": "Mozilla Foundation",
+ "href": "https://publicsuffix.org/"
+ },
+
"TPMv1-2-Part2": {
"title": "TPM Main Part 2: TPM Structures",
"publisher": "Trusted Computing Group",