Same URL navigations don’t normally increase history.length, So by checking if it increases this allows the opener to check the exact URL of a window. This was fixed in Chromium for a cross-origin initiator if there’s no error, there are currently timing attacks with same document navigations however. https://chromium-review.googlesource.com/c/chromium/src/+/2983325
Also 40087397 - Eliminate :visited privacy issues once and for all - chromium still works, fix is being planned in https://github.com/kyraseevers/Partitioning-visited-links-history.