Writeups

By crashing a cross-origin pop-up then navigating it to data:html,foo which gets blocked, The URL would stay cross-site but the page would be same-origin. Issue 40054631
This was duplicate but made a good twitter background.

Later there was a ghost image issue where the page stayed cross-origin but the contents of the previous page showed.
Issue 40057561

This attack was migrated by needing to crash cross-site, however Issue 40054631 had a way to do it.
And any extension can crash any tab Issue 40848497 similar to the crossOriginIsolated bypass