Referrer Spoofing
Origin checks should be done over origins, not ETLD+1:
same-site navigation
(should be trimmed to
https://referrer.fmarier.org/
)
same-site iframe:
(should be trimmed to
https://referrer.fmarier.org/
)