setAppBadge() should reject with SecurityError if child iframe is not…

… same origin-domain as top-origin

https://bugs.webkit.org/show_bug.cgi?id=256241
rdar://107109904

Reviewed by NOBODY (OOPS!).

Now does same origin-domain check against top-level origin.

Relevant spec change:
w3c/badging#107

* LayoutTests/imported/w3c/web-platform-tests/badging/setAppBadge_cross_origin.sub.https-expected.txt:
* Source/WebCore/page/Navigator.cpp:
(WebCore::Navigator::setAppBadge):

LayoutTests/imported/w3c/web-platform-tests/badging/setAppBadge_cross_origin.sub.https-expected.txt

@@ -1,6 +1,6 @@
 
 
 PASS Test that navigator.setAppBadge is available
-FAIL Test that calling setAppBadge in a cross-origin iframe throws a SecurityError assert_equals: setAppBadge should have rejected with an error expected "error" but got "success"
+PASS Test that calling setAppBadge in a cross-origin iframe throws a SecurityError
 PASS Test that calling setAppBadge in a same-origin iframe succeeds
 

Source/WebCore/page/Navigator.cpp

@@ -403,10 +403,16 @@ void Navigator::setAppBadge(std::optional<unsigned long long> badge, Ref<Deferre
         return;
     }
 
-    auto* document = frame->document();
-    if (document && !document->isFullyActive()) {
-        promise->reject(InvalidStateError);
-        return;
+    if (auto* document = frame->document()) {
+        if (!document->isFullyActive()) {
+            promise->reject(InvalidStateError);
+            return;
+        }
+
+        if (!frame->isMainFrame() && !document->topOrigin().isSameOriginDomain(document->securityOrigin())) {
+            promise->reject(SecurityError);
+            return;
+        }
     }
 
     page->badgeClient().setAppBadge(page, SecurityOriginData::fromFrame(frame), badge);