Allow PaymentRequest and getUserMedia for same origin-domain subdocum…

…ents

Same origin-domain is used instead of same-origin
to disallow by default if document.domain had been
used in the parent document.

The origin check is part of the snapshot instead
of live.

Browsing context containers other than iframe
(object, embed, frame) that are same origin-domain
are allowed to use payment request.

Fixes #2184.

source

@@ -28733,6 +28733,64 @@ interface <dfn>HTMLIFrameElement</dfn> : <span>HTMLElement</span> {
    run these steps:</p>
 
    <ol>
+    <li>
+     <p>If <var>document</var>'s <span data-x="concept-document-bc">browsing context</span> has a
+     <span>browsing context container</span> whose <span>node document</span>'s <span>origin</span>
+     is <span>same origin-domain</span> with <var>document</var>'s <span>origin</span>, then set the
+     <var>allowpaymentrequest flag</var> and the <var>allowusermedia flag</var> on
+     <var>document</var>, and abort these steps.</p>
+
+     <p class="note">If <code data-x="dom-document-domain">document.domain</code> has been used for
+     the <span>browsing context container</span>'s <span>node document</span>, then its
+     <span>origin</span> cannot be <span>same origin-domain</span> with <var>document</var>'s
+     <span>origin</span>, because these steps run when <var>document</var> is initialized so it
+     cannot itself yet have used <code data-x="dom-document-domain">document.domain</code>. Note
+     that this is less permissive compared to doing a <span>same origin</span> check instead.</p>
+
+     <div class="example">
+      <p>In this example, the child document is not allowed to use <code>PaymentRequest</code>,
+      despite being <span>same origin-domain</span> at the time the child document tries to use it.
+      At the time the child document is initialized, only the parent document has set <code
+      data-x="dom-document-domain">document.domain</code>, and the child document has not.</p>
+
+      <pre>&lt;!-- https://foo.example.com/a.html -->
+&lt;!doctype html>
+&lt;script>
+ document.domain = 'example.com';
+&lt;/script>
+&lt;iframe src=b.html>&lt;/iframe></pre>
+
+      <pre>&lt;!-- https://bar.example.com/b.html -->
+&lt;!doctype html>
+&lt;script>
+ document.domain = 'example.com'; // This happens after the document is initialized
+ new PaymentRequest(&hellip;); // Not allowed to use
+&lt;/script></pre>
+     </div>
+
+     <div class="example">
+      <p>In this example, the child document <em>is</em> allowed to use <code>PaymentRequest</code>,
+      despite not being <span>same origin-domain</span> at the time the child document tries to use
+      it. At the time the child document is initialized, none of the documents have set <code
+      data-x="dom-document-domain">document.domain</code> yet so <span>same origin-domain</span>
+      falls back to a normal <span>same origin</span> check.</p>
+
+      <pre>&lt;!-- https://example.com/a.html -->
+&lt;!doctype html>
+&lt;iframe src=b.html>&lt;/iframe>
+&lt;!-- The child document is now initialized, before the script below is run. -->
+&lt;script>
+ document.domain = 'example.com';
+&lt;/script></pre>
+
+      <pre>&lt;!-- https://example.com/b.html -->
+&lt;!doctype html>
+&lt;script>
+ new PaymentRequest(&hellip;); // Allowed to use
+&lt;/script></pre>
+     </div>
+    </li>
+
     <li><p>If <var>document</var>'s <span data-x="concept-document-bc">browsing context</span> has a
     <span>browsing context container</span> that is an <code>iframe</code> element, let
     <var>iframe</var> be that element. Otherwise, abort these steps.</p></li>
@@ -37950,8 +38008,8 @@ interface <dfn>HTMLAreaElement</dfn> : <span>HTMLElement</span> {
 
    <li><p>If the element's <span>nested browsing context</span> is null, then return null.</p></li>
 
-   <li><p>If the <span>active document</span> of the <span>nested browsing context</span> does not
-   have the <span>same origin-domain</span> for its <span>origin</span> as the element's <span>node
+   <li><p>If the <span>origin</span> of the <span>active document</span> of the <span>nested
+   browsing context</span> is not <span>same origin-domain</span> with the element's <span>node
    document</span>'s <span>origin</span>, then return null.</p></li>
 
    <li><p>If the <span>nested browsing context</span>'s <span>active document</span> was created by