Explicitly prevent sandboxed navigation via History

Previously, sandboxed navigation did not prevent navigation via the history API;
the check for the navigation was after the unload steps of the history
traversal. This adds an explicit check in those methods to prevent such
navigation.

Fixes #880.

source

@@ -81627,24 +81627,52 @@ interface <dfn>History</dfn> {
   null.</p>
 
   <p>When the <dfn><code data-x="dom-history-go">go(<var>delta</var>)</code></dfn> method is
-  invoked, if <var>delta</var> is zero, the user agent must act as if the
-  <code data-x="dom-location-reload">location.reload()</code> method was called instead. Otherwise,
-  the user agent must <span>traverse the history by a delta</span> whose value is
-  <var>delta</var>. If this <code>History</code> object is associated with a <code>Document</code>
-  that is not <span>fully active</span>, invoking must instead throw a
-  <span>"<code>SecurityError</code>"</span> <code>DOMException</code>.</p>
+  invoked:</p>
 
-  <p>When the <dfn><code data-x="dom-history-back">back()</code></dfn> method is invoked, the user
-  agent must <span>traverse the history by a delta</span> &#x2212;1. If this <code>History</code>
-  object is associated with a <code>Document</code> that is not <span>fully active</span>,
-  invoking must instead throw a <span>"<code>SecurityError</code>"</span>
-  <code>DOMException</code>.</p>
+  <ol>
+   <li><p>Let <var>document</var> be this <code>History</code> object's associated
+   <code>Document</code>.</p></li>
 
-  <p>When the <dfn><code data-x="dom-history-forward">forward()</code></dfn> method is invoked, the
-  user agent must <span>traverse the history by a delta</span> +1. If this <code>History</code>
-  object is associated with a <code>Document</code> that is not <span>fully active</span>,
-  invoking must instead throw a <span>"<code>SecurityError</code>"</span>
-  <code>DOMException</code>.</p>
+   <li><p>If <var>document</var> is not <span>fully active</span>, then throw a
+   <span>"<code>SecurityError</code>"</span>
+   <code>DOMException</code>.</p></li>
+
+   <!-- XXX extract out "location reload steps" instead of this "act as if" fuzziness. -->
+   <li><p>If <var>delta</var> is 0, then act as if the <code
+   data-x="dom-location-reload">location.reload()</code> method was called, and return.</p></li>
+
+   <li><p><span>Traverse the history by a delta</span> with <var>delta</var> and
+   <var>document</var>'s <span data-x="concept-document-bc">browsing context</span>.</p></li>
+  </ol>
+
+  <p>When the <dfn><code data-x="dom-history-back">back()</code></dfn> method is invoked:</p>
+
+  <ol>
+   <li><p>Let <var>document</var> be this <code>History</code> object's associated
+   <code>Document</code>.</p></li>
+
+   <li><p>If <var>document</var> is not <span>fully active</span>, then throw a
+   <span>"<code>SecurityError</code>"</span>
+   <code>DOMException</code>.</p></li>
+
+   <li><p><span>Traverse the history by a delta</span> with &#x2212;1 and
+   <var>document</var>'s <span data-x="concept-document-bc">browsing context</span>.</p></li>
+  </ol>
+
+  <p>When the <dfn><code data-x="dom-history-forward">forward()</code></dfn> method is invoked:</p>
+
+
+  <ol>
+   <li><p>Let <var>document</var> be this <code>History</code> object's associated
+   <code>Document</code>.</p></li>
+
+   <li><p>If <var>document</var> is not <span>fully active</span>, then throw a
+   <span>"<code>SecurityError</code>"</span>
+   <code>DOMException</code>.</p></li>
+
+   <li><p><span>Traverse the history by a delta</span> with +1 and
+   <var>document</var>'s <span data-x="concept-document-bc">browsing context</span>.</p></li>
+  </ol>
 
 
   <hr>
@@ -81676,14 +81704,16 @@ interface <dfn>History</dfn> {
 
   <hr>
 
-  <p>To <dfn>traverse the history by a delta</dfn> <var>delta</var>, the user agent must
-  append a <span data-x="concept-task">task</span> to this <span>top-level browsing context</span>'s
-  <span>session history traversal queue</span>, the <span data-x="concept-task">task</span>
-  consisting of running the following steps:</p>
+  <p>To <dfn>traverse the history by a delta</dfn> given <var>delta</var> and <span>browsing
+  context</span> <var>source browsing context</var>, the user agent must append a <span
+  data-x="concept-task">task</span> to this <span>top-level browsing context</span>'s <span>session
+  history traversal queue</span>, the <span data-x="concept-task">task</span> consisting of running
+  the following steps:</p>
 
   <ol>
 
-   <li><p>If the index of the <span>current entry of the joint session history</span> plus <var>delta</var> is less than zero or greater than or equal to the number of items in the
+   <li><p>If the index of the <span>current entry of the joint session history</span> plus
+   <var>delta</var> is less than zero or greater than or equal to the number of items in the
    <span>joint session history</span>, then return.</p>
 
    <li><p>Let <var>specified entry</var> be the entry in the <span>joint session
@@ -81693,6 +81723,9 @@ interface <dfn>History</dfn> {
    <li><p>Let <var>specified browsing context</var> be the <span>browsing context</span> of
    the <var>specified entry</var>.</p></li>
 
+   <li><p>If <var>source browsing context</var> is not <span>allowed to navigate</span>
+   <var>specified browsing context</var>, then return.</p></li>
+
    <li><p>If the <var>specified browsing context</var>'s <span>active document</span>'s
    <span>unload a document</span> algorithm is currently running, return.</p></li>
 
@@ -81740,8 +81773,8 @@ interface <dfn>History</dfn> {
   </ol>
 
   <p>When the user navigates through a <span>browsing context</span>, e.g. using a browser's back
-  and forward buttons, the user agent must <span>traverse the history by a delta</span> equivalent
-  to the action specified by the user.</p>
+  and forward buttons, the user agent must <span>traverse the history by a delta</span> with a delta
+  equivalent to the action specified by the user and the browsing context being operated on.</p>
 
   <hr id="history-1">