From dc564b9b59d67bc32f17097f5086b38e24bbec78 Mon Sep 17 00:00:00 2001
From: Domenic Denicola <d@domenic.me>
Date: Mon, 8 May 2023 18:48:58 -0400
Subject: [PATCH] Do not do same-URL replace navigations when initiated
 cross-origin

This allows attackers to do a boolean probe on the URL of a cross-origin iframe, by attempting to navigate it to a given URL, and if history.length does not increase, they know that the iframe is currently pointed to that URL.

Closes #2018, at least the actionable part where you can get more information than just what is retrieved using the load event.
---
 source | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/source b/source
index 2f570282645..3a2d5b56947 100644
--- a/source
+++ b/source
@@ -91851,7 +91851,9 @@ location.href = '#foo';</code></pre>
     <ul class="brief">
      <li><p><var>url</var> <span data-x="concept-url-equals">equals</span>
      <var>navigable</var>'s <span data-x="nav-document">active document</span>'s <span
-     data-x="concept-document-url">URL</span>;</p></li>
+     data-x="concept-document-url">URL</span>, and <var>initiatorOriginSnapshot</var> is <span>same
+     origin</span> with <var>targetNavigable</var>'s <span data-x="nav-document">active
+     document</span>'s <span data-x="concept-document-origin">origin</span>;</p></li>
 
      <li><p><var>url</var>'s <span data-x="concept-url-scheme">scheme</span> is "<code
      data-x="javascript protocol">javascript</code>"; or</p></li>