history.state leaks into null-origin pages

[jakearchibald]

1. https://redirect-session-history.glitch.me/.
2. Press "random pushState".
3. Press "Set cookie: Serve pages with Content-Security-Policy: sandbox allow-scripts".
4. Reload page.
5. Look at "History state:"

The history.state value is persisted in Firefox, Chrome and Safari. This seems not-great since data has crossed an origin boundary.

I'm going to spec it so history.state is cleared on reload if:

1. There's a redirect in the navigation (see Should navigating to the current URL preserve history.state? #6213 (comment))
2. The new document's origin is different to the previous document's origin (although we'll probably do something different for error documents History entry state (history & appHistory) and error documents #7106)

cc @domenic as you'll want to avoid the same issues in app history 😄

[jakearchibald]

We also reparent iframe into a page that has changed origins due to sandboxing. I'm not sure what the right answer is here. It feels like it should follow the same rules as a cross-origin redirect.

[jakearchibald]

In #6680 I found that a redirect during traversal causes the entry to swap its document state. This prevents iframe reparenting because it's the document state that holds the nested history.

Feels like the same should happen if the origin changes.