@annevk: Can you take a look?

Would document.domain actually change here? That is, isn't it already equal to {{host}}, so this test would pass no matter what?

Quoting from my comment at https://chromium-review.googlesource.com/c/chromium/src/+/2417872/2#message-050d44f47c5fd0a348193f72035a1d5c0bd3824d:

I've posted a CL at https://chromium-review.googlesource.com/c/chromium/src/+/2419144 which is meant to test the situation for origin isolation. It uses a very different test technique, which I know fails with the current origin isolation implementation.

I might be missing something and your test is fine (i.e., it fails before this CL). But if my understanding is correct, and your test passes no matter what, then you might consider a different test style, similar to the one I posted in my CL.

The other cases that would be interesting to test is what if document.domain threw an exception. There are a number of validation steps that throw, before cross-origin isolation would make it return. It seems somewhat worthwhile testing those conditions too.

In https://chromium-review.googlesource.com/c/chromium/src/+/2419144 I wrote a test of this sort for origin isolation. (None existed before.) I only checked the easy-to-test registrable suffix condition. Happily, that is the last condition, so it's pretty unlikely that implementations would somehow pass that test but mess up the other conditions.

Would document.domain actually change here? That is, isn't it already equal to {{host}}, so this test would pass no matter what?

There are two document.domain substitutions; one is in window-domain-failure.https.sub.html and the other is in resources/iframe-domain-failure.sub.html. The added check checks the latter. Please note that resources/iframe-domain-failure.sub.html is loaded as a cross-origin iframe in window-domain-failure.https.sub.html, and the initial document.domain is {{domains[www1]}}.