https://html.spec.whatwg.org/#navigate step 12 in the javascript: case, substep 1 does a check that involves the "source browsing context's active document's origin".
Unfortunately, this need not match the origin that browsing context had when the navigation started, because this step is running off a task. So in a browser that implements the spec as written you get a security hole: if you target a javascript: load at a cross-origin site just as you're being unloaded due to navigation to that same cross-origin site you get XSS.
I know there are existing bugs on the "source browsing context" thing being a bit wonky, but given that I know there are implementations attempting to align with the HTML spec on the navigation algorithm, or even implementing directly from the spec, it would be good to at least have a note here or something explicitly calling out the fact that the spec should not be implemented as-is.
// cc @asajeffrey @cbrewster
https://html.spec.whatwg.org/#navigate step 12 in the javascript: case, substep 1 does a check that involves the "source browsing context's active document's origin".
Unfortunately, this need not match the origin that browsing context had when the navigation started, because this step is running off a task. So in a browser that implements the spec as written you get a security hole: if you target a javascript: load at a cross-origin site just as you're being unloaded due to navigation to that same cross-origin site you get XSS.
I know there are existing bugs on the "source browsing context" thing being a bit wonky, but given that I know there are implementations attempting to align with the HTML spec on the navigation algorithm, or even implementing directly from the spec, it would be good to at least have a note here or something explicitly calling out the fact that the spec should not be implemented as-is.
// cc @asajeffrey @cbrewster