Do not do same-URL replace navigations when initiated cross-origin

This allows attackers to do a boolean probe on the URL of a cross-origin iframe, by attempting to navigate it to a given URL, and if history.length does not increase, they know that the iframe is currently pointed to that URL. Closes #2018, at least the actionable part where you can get more information than just what is retrieved using the load event.
whatwg · May 8, 2023 · dc564b9 · dc564b9
1 parent f9392e9
commit dc564b9
Showing 1 changed file with 3 additions and 1 deletion.
diff --git a/source b/source
@@ -91851,7 +91851,9 @@ location.href = '#foo';</code></pre>
     <ul class="brief">
      <li><p><var>url</var> <span data-x="concept-url-equals">equals</span>
      <var>navigable</var>'s <span data-x="nav-document">active document</span>'s <span
-     data-x="concept-document-url">URL</span>;</p></li>
+     data-x="concept-document-url">URL</span>, and <var>initiatorOriginSnapshot</var> is <span>same
+     origin</span> with <var>targetNavigable</var>'s <span data-x="nav-document">active
+     document</span>'s <span data-x="concept-document-origin">origin</span>;</p></li>
 
      <li><p><var>url</var>'s <span data-x="concept-url-scheme">scheme</span> is "<code
      data-x="javascript protocol">javascript</code>"; or</p></li>