When the DOMWindow::open method receives a frame name of _top or _parent, they’re treated as special cases which get an immediate scheduling for a location change. The scheduleLocationChange function is usually invoked in a asynchronous manner if the URL is the same as the old one, but if the URL fragments differ, it’ll run synchronously and fire a popstate event. An attacker can define an event handler that destroys the parent iframe to cause a UAF.