Do not do same-URL replace navigations when initiated cross-origin

[domenic]

This allows attackers to do a boolean probe on the URL of a cross-origin iframe, by attempting to navigate it to a given URL, and if history.length does not increase, they know that the iframe is currently pointed to that URL. Closes #2018, at least the actionable part where you can get more information than just what is retrieved using the load event.

/cc @petervanderbeken since I was reminded of this when working on #9135.

• At least two implementers are interested (and none opposed):
  • Chromium implements this
  • WebKit implements this
• Tests are written and can be reviewed and commented upon at:
  • https://wpt.fyi/results/html/browsers/browsing-the-web/navigating-across-documents?label=master&label=experimental&aligned&q=navigate-cross-origin-iframe-to-same-url
• Implementation bugs are filed:
  • Chromium: https://bugs.chromium.org/p/chromium/issues/detail?id=1208614
  • Gecko: https://bugzilla.mozilla.org/show_bug.cgi?id=1315203
  • WebKit: unknown if they had a bug tracking when they fixed this
  • Deno (only for timers, structured clone, base64 utils, channel messaging, module resolution, web workers, and web storage): N/A
  • Node.js (only for timers, structured clone, base64 utils, channel messaging, and module resolution): N/A
• MDN issue is filed: N/A, edge case behavior that doesn't need documentation

(See WHATWG Working Mode: Changes for more details.)

---

/browsing-the-web.html ( diff )