Fix javascript: URL origin security check

This makes it non-racy by taking the origin snapshotted at the top of the navigation algorithm. Fixes #2591. Helps with #1130. See #6514 for related investigation.

source

@@ -85947,8 +85947,7 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
       <ol>
        <li><p>Let <var>response</var> be the result of <span data-x="javascript protocol">executing
        a <code>javascript:</code> URL request</span> given <var>resource</var>,
-       <var>navigationType</var>, the <span>source browsing context</span>, and
-       <var>browsingContext</var>.</p></li>
+       <var>browsingContext</var>, and <var>incumbentNavigationOrigin</var>.</p></li>
 
        <li><p>Let <var>finalSandboxFlags</var> be the <span data-x="set union">union</span> of
        <var>browsingContext</var>'s <span data-x="concept-bc-sandboxing-flags">sandboxing
@@ -86520,15 +86519,8 @@ interface <dfn interface>Location</dfn> { // but see also <a href="#the-location
     <p>If both of the following are true:</p>
 
     <ul>
-     <li>
-      <p><var>source</var>'s <span>active document</span>'s <span
-      data-x="concept-document-origin">origin</span> is <span>same origin</span> with
-      <var>browsingContext</var>'s <span>active document</span>'s <span
-      data-x="concept-document-origin">origin</span>.</p>
-
-      <p class="XXX">As explained in <a href="https://github.com/whatwg/html/issues/2591">issue
-      #2591</a> this step does not work and presents a security issue.</p>
-     </li>
+     <li><p><var>initiatorOrigin</var> is <span>same origin</span> with <var>browsingContext</var>'s
+     <span>active document</span>'s <span data-x="concept-document-origin">origin</span>.</p></li>
 
      <li><p>The result of <span>Should navigation request of type be blocked by Content Security
      Policy?</span> given <var>request</var> and <var>navigationType</var> is "<code