Created attachment 367577 [details] Reproducible output example When an `iframe` calls `window.history.pushState`, the parent window's `window.history.state` becomes replaced with a `null` value. Steps to reproduce: 1. Give the top page a `history.state` value (eg, call `window.history.pushState({something}, 'something')`) 2. In an iframe, perform `window.history.pushState(...)` 3. In the top page, observe that `history.state` has become set to `null` Expected behavior: The top page's `history.state` would remain untouched. Here's a minimal reproducible example that can be ran in the JS console on `bugs.webkit.org` directly: ``` (() => { const logHistoryStates = (frame) => { console.log('[top] window.history.state', window.history.state); console.log('[iframe] window.history.state', frame.contentWindow.history.state); }; // Create a mock state window.history.pushState({hello: 'world'}, 'mock bugs.webkit.org history state') // Append an iframe with the same origin var iframe = document.createElement('iframe'); iframe.src = 'https://bugs.webkit.org'; document.body.appendChild(iframe); // Take a look at the current `history.state` values for both the page and iframe. logHistoryStates(iframe); // Let the iframe load, and then simulate a `history.pushState` setTimeout(() => { console.log('[iframe] history.pushState') iframe.contentWindow.history.pushState({foo: 'bar'}, 'mock iframe history state change'); // Observe the parent window's `history.state` has been corrupted logHistoryStates(iframe); }, 1000); })() ``` Attached is a screenshot of the output differences between Safari and Chrome.