Use the associated document for pushState/replaceState's origin check

This updates the origin check in pushState/replaceState to use the origin of the document of the relevant History object, instead of that of the entry settings object. This more correctly matches 2/3 open source browsers: - https://chromium.googlesource.com/chromium/src/+/c21f0b11ac83ea970d0eaf6a0b223d48a32a4b32/third_party/WebKit/Source/core/frame/History.cpp#234 - https://github.com/WebKit/webkit/blob/0ee7b606dbf35d9688c15b19b1a83ec1ff242cd7/Source/WebCore/page/History.cpp#L150 (Gecko does no such security check). It also helps with whatwg#1431. While there, cleaned up some redundant steps and tightened wording.
alice · Jan 7, 2019 · acd1e53 · acd1e53
1 parent 6625a04
commit acd1e53
Showing 1 changed file with 14 additions and 15 deletions.
diff --git a/source b/source
@@ -80166,10 +80166,11 @@ interface <dfn>History</dfn> {
   <p>When either of these methods is invoked, the user agent must run the following steps:</p>
 
   <ol>
+   <li><p>Let <var>document</var> be the unique <code>Document</code> object this
+   <code>History</code> object is associated with.</p></li>
 
-   <li><p>If this <code>History</code> object is associated with a <code>Document</code> that is
-   not <span>fully active</span>, throw a <span>"<code>SecurityError</code>"</span>
-   <code>DOMException</code>.</p></li>
+   <li><p>If <var>document</var> is not <span>fully active</span>, throw a
+   <span>"<code>SecurityError</code>"</span> <code>DOMException</code>.</p></li>
 
    <li><p>Optionally, abort these steps. (For example, the user agent might disallow calls to these
    methods that are invoked on a timer, or from event listeners that are not triggered in response
@@ -80195,20 +80196,20 @@ interface <dfn>History</dfn> {
 
      <li><p>Let <var>new URL</var> be the <span>resulting URL record</span>.</p></li>
 
-     <li>Compare <var>new URL</var> to the document's <span
+     <li>Compare <var>new URL</var> to <var>document</var>'s <span
      data-x="concept-document-url">URL</span>. If any component of these two <span data-x="URL
      record">URL records</span> differ other than the <span data-x="concept-url-path">path</span>,
      <span data-x="concept-url-query">query</span>, and <span
      data-x="concept-url-fragment">fragment</span> components, then throw a
      <span>"<code>SecurityError</code>"</span> <code>DOMException</code> and abort these steps.</li>
 
-     <li>If the <span data-x="concept-url-origin">origin</span> of <var>new URL</var> is not the
-     same as the <span>origin</span> of the <span>responsible document</span> specified by the
-     <span>entry settings object</span>, and either the <span data-x="concept-url-path">path</span>
-     or <span data-x="concept-url-query">query</span> components of the two <span data-x="URL
-     record">URL records</span> compared in the previous step differ, throw a
-     <span>"<code>SecurityError</code>"</span> <code>DOMException</code> and abort these steps.
-     (This prevents sandboxed content from spoofing other pages on the same origin.)</li>
+     <li>If the <span data-x="concept-url-origin">origin</span> of <var>new URL</var> is not
+     <span>same origin</span> with the <span>origin</span> of <var>document</var>, and either the
+     <span data-x="concept-url-path">path</span> or <span data-x="concept-url-query">query</span>
+     components of the two <span data-x="URL record">URL records</span> compared in the previous
+     step differ, throw a <span>"<code>SecurityError</code>"</span> <code>DOMException</code> and
+     abort these steps. (This prevents sandboxed content from spoofing other pages on the same
+     origin.)</li>
 
     </ol>
 
@@ -80271,17 +80272,15 @@ interface <dfn>History</dfn> {
 
    <li>
 
-    <p>Set the document's <span data-x="concept-document-url">URL</span> to <var>new URL</var>.</p>
+    <p>Set <var>document</var>'s <span data-x="concept-document-url">URL</span> to <var>new
+    URL</var>.</p>
 
     <p class="note">Since this is neither a <span data-x="navigate">navigation</span> of the
     <span>browsing context</span> nor a <span data-x="traverse the history">history traversal</span>,
     it does not cause a <code data-x="event-hashchange">hashchange</code> event to be fired.</p>
 
    </li>
 
-   <li><p>Let <var>targetRealm</var> be this <code>History</code> object's <span>relevant settings
-   object</span>'s <span data-x="environment settings object's realm">Realm</span>.</p></li>
-
    <li>
 
     <p>Set <code data-x="dom-history-state">history.state</code> to