Inline the "Relaxing the Same-Origin Restriction" algorithm

Fixes w3c#256, where the algorithm is incompletely specified via reference to a procedure in HTML51 that isn't itself pulled out as an explicit algorithm.
jcjones · Dec 20, 2016 · e14eadc · e14eadc
1 parent f702fba
commit e14eadc
Showing 1 changed file with 42 additions and 11 deletions.
diff --git a/index.bs b/index.bs
@@ -51,6 +51,11 @@ spec: HTML51; urlPrefix: http://www.w3.org/TR/html51/; for: web
         urlPrefix: webappapis.html;
             text: current settings object; for:web; url:current-settings-object
             text: Navigator; for: interface; url:the-navigator-object
+
+<!-- spec: HTML; urlPrefix: https://url.spec.whatwg.org/ -->
+spec: URL; urlPrefix: https://url.spec.whatwg.org/; for: url
+    type: dfn
+        text: host parser; url: concept-host-parser
 </pre>
 
 
@@ -397,11 +402,10 @@ When this method is invoked, the user agent MUST execute the following algorithm
     terminate this algorithm. Otherwise,
     - If {{ScopedCredentialOptions/rpId}} is not specified, then set |rpId| to |callerOrigin|, and |rpIdHash| to the SHA-256
         hash of |rpId|.
-    - If {{ScopedCredentialOptions/rpId}} is specified, then invoke the procedure used for <a>relaxing the same-origin
-        restriction</a> by setting the `document.domain` attribute, using {{ScopedCredentialOptions/rpId}} as the given value
-        but without changing the current document's `domain`. If no errors are thrown, set |rpId| to the value of `host` as
-        computed by this procedure, and |rpIdHash| to the SHA-256 hash of the UTF-8 encoding of |rpId|. Otherwise, reject |promise| with a
-        <a>DOMException</a> whose name is "SecurityError", and terminate this algorithm.
+    - If {{ScopedCredentialOptions/rpId}} is specified, then invoke the [[#algo-relax-same-origin-restriction]],
+        using {{ScopedCredentialOptions/rpId}}. If no errors are thrown, set |rpId| to the value of `host` as
+        computed by this algorithm, and |rpIdHash| to the SHA-256 hash of the UTF-8 encoding of |rpId|. Otherwise, reject
+        |promise| with a <a>DOMException</a> whose name is "SecurityError", and terminate this algorithm.
 
 4. Process each element of {{cryptoParameters}} using the following steps, to produce a new sequence |normalizedParameters|.
     - Let |current| be the currently selected element of {{cryptoParameters}}.
@@ -493,11 +497,10 @@ When this method is invoked, the user agent MUST execute the following algorithm
     terminate this algorithm. Otherwise,
     - If {{AssertionOptions/rpId}} is not specified, then set |rpId| to |callerOrigin|, and |rpIdHash| to the SHA-256
         hash of |rpId|.
-    - If {{AssertionOptions/rpId}} is specified, then invoke the procedure used for <a>relaxing the same-origin restriction</a>
-        by setting the `document.domain` attribute, using {{AssertionOptions/rpId}} as the given value but without changing the
-        current document's `domain`. If no errors are thrown, set |rpId| to the value of `host` as computed by this procedure,
-        and |rpIdHash| to the SHA-256 hash of the UTF-8 encoding of |rpId|. Otherwise, reject |promise| with a <a>DOMException</a> whose name is
-        "SecurityError", and terminate this algorithm.
+    - If {{AssertionOptions/rpId}} is specified, then invoke the [[#algo-relax-same-origin-restriction]], using
+        {{AssertionOptions/rpId}} as the given value. If no errors are thrown, set |rpId| to the value of `host` as computed
+        by this algorithm, and |rpIdHash| to the SHA-256 hash of the UTF-8 encoding of |rpId|. Otherwise, reject |promise| with
+        a <a>DOMException</a> whose name is "SecurityError", and terminate this algorithm.
 
 4. If {{AssertionOptions/extensions}} was specified, process any extensions supported by this client platform, to produce the
     extension data that needs to be sent to the authenticator. If an error is encountered while processing an extension, skip
@@ -1508,7 +1511,29 @@ used to help facilitate isolating problems with a specific version of a device.
 If the attestation root certificate is not dedicated to a single WebAuthn Authenticator device line (i.e., AAGUID), the AAGUID
 should be specified in the attestation certificate itself, so that it can be verified against the <a>authenticatorData</a>.
 
-
+## Algorithm to Relax the Same-Origin Restriction ## {#algo-relax-same-origin-restriction}
+
+The same-origin policy prevents web applications from interacting, unless they both have the same origin. HTML5, via
+the `document.domain` attribute, permits "relaxing" this same-origin restriction under certain circumstances. This
+algorithm implements a similar procedure that of setting the `document.domain` attribute from [[!HTML51]], but without
+modifying the <a>Document</a> object:
+
+1. If this <a>Document</a> object has no browsing context, throw a "SecurityError" <a>DOMException</a>.
+2. If this <a>Document</a> object’s active sandboxing flag set has its <a>sandboxed `document.domain` browsing context
+    flag</a> set, then throw a "SecurityError" <a>DOMException</a>.
+3. If the given value is the empty string, then throw a "SecurityError" <a>DOMException</a>.
+4. Let |host| be the result of parsing the given value.
+5. If |host| is failure, then throw a "SecurityError" <a>DOMException</a>.
+6. Let |effectiveDomain| be this <a>Document</a> object’s <a link-for='web'>origin</a>’s effective domain.
+7. If |host| is not equal to |effectiveDomain|, then run these substeps:
+    1. If |host| or |effectiveDomain| is not domain, then throw a "SecurityError" <a>DOMException</a>.
+    2. If |host|, prefixed by a U+002E FULL STOP (.), does not exactly match the |effectiveDomain|, then throw a
+        "SecurityError" <a>DOMException</a>.
+    3. If |host| matches a suffix in the Public Suffix List, or, if |host|, prefixed by a U+002E FULL STOP (.), matches the
+        end of a suffix in the Public Suffix List, then throw a "SecurityError" <a>DOMException</a>. [[!PSL]]
+
+        Suffixes must be compared after applying the <a link-for='url'>host parser</a> algorithm.
+8. Return |host|.
 
 # Defined Attestation Formats # {#defined-attestation-formats}
 
@@ -2659,6 +2684,12 @@ Brad Hill, Jing Jin, Anne van Kesteren, Giridhar Mandyam, Axel Nennker, Yaron Sh
     "status": "FIDO Alliance Proposed Standard"
   },
 
+  "PSL": {
+    "title": "Public Suffix List",
+    "publisher": "Mozilla Foundation",
+    "href": "https://publicsuffix.org/"
+  },
+
   "TPMv1-2-Part2": {
     "title": "TPM Main Part 2: TPM Structures",
     "publisher": "Trusted Computing Group",