[Webkit-unassigned] [Bug 203764] New: Setting document.domain to "example.test" throws a SecurityError

Fri Nov 1 14:48:19 PDT 2019

https://bugs.webkit.org/show_bug.cgi?id=203764

            Bug ID: 203764
           Summary: Setting document.domain to "example.test" throws a
                    SecurityError
           Product: WebKit
           Version: Safari 13
          Hardware: Macintosh
                OS: macOS 10.15
            Status: NEW
          Severity: Normal
          Priority: P2
         Component: WebCore Misc.
          Assignee: webkit-unassigned at lists.webkit.org
          Reporter: tszynalski at antimoon.com

Apologies if this bug report is addressed incorrectly -- I'm not sure if this is an Apple bug or a WebKit bug.

In Safari 13.0.3 (Catalina), you cannot set document.domain to a superdomain of a domain which ends in ".test". The console reports "SecurityError: Attempted to use a non-registrable domain."

A page on a.somedomain.org can set document.domain to "somedomain.org".
A page on a.somedomain.example can set document.domain to "somedomain.example".
A page on a.somedomain.test CANNOT set document.domain to "somedomain.test".

The .test TLD is reserved for development and testing purposes. This error makes it impossible to test my Web app, which shares components across subdomains, without first moving it to a new domain.

I believe this behavior is contrary to the HTML spec:
https://html.spec.whatwg.org/multipage/origin.html#is-a-registrable-domain-suffix-of-or-is-equal-to

I'm sorry I cannot provide a repro page -- the error only appears on pages in the .test domain, which are not publicly accessible.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20191101/00f2f6c5/attachment.htm>