Cross-Origin-Options: deny/allow-postmessage should prevent getting navigated by cross-origin scripts.
My plan is to add a check for Cross-Origin-Options to our "allowed to navigate" logic .
Created attachment 340526 [details]
Comment on attachment 340526 [details]
View in context: https://bugs.webkit.org/attachment.cgi?id=340526&action=review
> + Update our canNavigation() implementation  to take into account the Cross-Origin-Options header.
> + possible to trigger a "targetted" navigation via <a target="foo"> or open(url, "foo").
Created attachment 340597 [details]
The commit-queue encountered the following flaky tests while processing attachment 340597 [details]:
media/modern-media-controls/volume-support/volume-support-click.html bug 164229 (author: firstname.lastname@example.org)
The commit-queue is continuing to process your patch.
Comment on attachment 340597 [details]
Clearing flags on attachment: 340597
Committed r231911: <https://trac.webkit.org/changeset/231911>
All reviewed patches have been landed. Closing bug.