capybara-simulated 0.5.0 → 0.6.0

data/lib/capybara/simulated/browser.rb

@@ -97,6 +97,16 @@ module Capybara
       # green at 100 across gem 1579, WPT 660, Forem, Avo, :464 passing). Clamped
       # >=1 so a `CSIM_POLL_TICK_STEP_MS=0` misconfig can't freeze the fixed-step path.
       POLL_TICK_STEP_MS = [(ENV['CSIM_POLL_TICK_STEP_MS'] || '100').to_i, 1].max
+      # One animation frame (~60 Hz, whole ms — `run_loop_step` truncates). When a
+      # poll advances the clock while the page has work runnable NOW (a rAF chain or
+      # a timer burst), `tick_real_time` runs the advance in chunks this size so the
+      # page's rendering runs at real-browser cadence (one render phase per frame),
+      # not one `POLL_TICK_STEP_MS` super-frame — the same model the WPT drain uses.
+      FRAME_STEP_MS = 16
+      # Per-poll task-iteration cap, mirroring `RuntimeShared#run_loop_step`'s own
+      # default — shared across the frame chunks of one poll so sub-stepping keeps
+      # the same per-poll ceiling the single-step path had.
+      RUN_LOOP_MAX_ITER = 10_000
       # Horizon-gated fast-forward: when the page is observably idle (no timer due
       # now, no background IO) but a timer is parked within this horizon, jump the
       # virtual clock straight to it instead of waiting ~delay/step polls. A timer
@@ -116,6 +126,11 @@ module Capybara
       # timer/microtask storm so one settle iter returns to Ruby; large enough
       # for the heaviest legit chain (Mastodon hydrate, Turbo stream batch).
       SETTLE_MAX_ITER_TASKS = 256
+      # Backstop for the post-boot deferred-external-script drain: a dynamically
+      # inserted external <script> runs async (setTimeout 0), so an app's chunk
+      # loader chains many of them at boot. We pump only ALREADY-due tasks until the
+      # pending count hits 0; this caps a pathological self-injecting loader.
+      BOOT_SCRIPT_DRAIN_MAX_ITER = 300
       # Post-user-action virtual-clock advance. Default 0 — the
       # wall-sync model (each tick_real_time advances by the wall
       # ms elapsed since the last tick) lets Capybara's outer poll
@@ -167,9 +182,10 @@ module Capybara
         Rack::Mime.mime_type(File.extname(path.to_s), '')
       end
 
-      def initialize(app, driver: nil, js_engine: nil, cookies: nil, local_storage: nil)
+      def initialize(app, driver: nil, js_engine: nil, cookies: nil, local_storage: nil, all_hosts_local: nil)
         @app                          = app
         @driver                       = driver
+        @all_hosts_local_override     = all_hosts_local
         @runtime                      = build_runtime(js_engine)
         # Per-poll clock decisions cached at construction (CLAUDE.md rule 3 — the
         # runtime type + env are fixed for the session): the wall-sync escape
@@ -218,6 +234,18 @@ module Capybara
         # `Capybara.app_host` / `server_host` / `server_port` on every
         # rack call (CLAUDE.md: cache env decisions at construction).
         @default_host                 = self.class.default_host
+        # The WPT runner serves EVERY host through one in-process Rack app (the
+        # wptserve catch-all), so cross-origin test fixtures are genuinely local
+        # there. Setting this makes `url_is_local?` true for all hosts, so a
+        # cross-origin iframe eager-builds + is served by @app.call directly
+        # (no failing net_http_fetch). Apps leave it off: an external embed stays
+        # non-local → lazy → no @app.call side effect (extra visit / log row).
+        # Universal-server context (every host served in-process → cross-origin frames
+        # eager-build). The Driver captures this at session-construction time (when the
+        # WPT runner has the env set) and passes it to EVERY window it builds, so an aux
+        # window opened LATER — after the runner restored the env — still inherits it.
+        # nil override (a stand-alone Browser) falls back to the live env check.
+        @all_hosts_local              = @all_hosts_local_override.nil? ? (ENV['CSIM_LOCAL_ALL_HOSTS'] == '1') : @all_hosts_local_override
         # Handle IDs are per-Context integer sequences: a handle from
         # a pre-rebuild context could collide with a fresh node's id
         # in the new context. Node captures this on construction;
@@ -403,8 +431,8 @@ module Capybara
 
       # Address-bar navigation: no Referer, and relative paths resolve
       # against the host root (not the current page's directory).
-      def visit(url)
-        navigate(resolve_visit_url(url), referer: nil)
+      def visit(url, referer: nil)
+        navigate(resolve_visit_url(url), referer: referer)
       end
 
       URL_UNSAFE_CHARS = %r{[^!*'();:@&=+$,/?#\[\]A-Za-z0-9\-._~%]}n.freeze
@@ -915,12 +943,13 @@ module Capybara
             end
           # `target="_blank"` (or any non-_self/_top/_parent name) opens
           # in a new browsing context (its own Browser/VM); the primary
-          # stays put (per HTML spec — original window is unaffected). No
-          # `opener_handle` is passed: modern browsers default `target=_blank`
-          # to `noopener` (so `window.opener` is null), unlike JS `window.open`
-          # which keeps the opener — see `open_window_from_js`.
+          # stays put (per HTML spec — original window is unaffected). A
+          # `target=_blank` link defaults to `noopener` (window.opener null) unless
+          # `rel=opener` (carried as `action['opener']`); open_aux_window forces
+          # noopener anyway for a cross-partition blob. Matches the scripted
+          # click / dispatchEvent activation paths.
           elsif !target.empty? && !%w[_self _top _parent].include?(target.downcase) && @driver.respond_to?(:open_aux_window)
-            @driver.open_aux_window(resolve_against_current(url, use_base: true), source: self, blob_snapshot: action['blob'])
+            @driver.open_aux_window(resolve_against_current(url, use_base: true), source: self, opener: !!action['opener'], blob_snapshot: action['blob'])
           # In-page anchor links (`#frag` / current-page + `#frag`) move
           # the hash but don't fetch a new document. Pure-fragment also
           # short-circuits the `<a>`s test fixtures use as click sinks.
@@ -966,7 +995,7 @@ module Capybara
           elsif @current_url != submit_baseline_url
             # Already navigated; nothing more to do.
           else
-            submit_form_handle(action['formHandle'], action['submitter'])
+            submit_form_handle(action['formHandle'], action['submitter'], action['entryList'])
           end
         when 'download'
           download_link(resolve_against_current(action['url'].to_s), action['filename'].to_s)
@@ -1035,7 +1064,7 @@ module Capybara
         # `attach_file` hands us a Pathname (or Array of Pathnames);
         # the marshaller rejects non-primitive types. Coerce to a path-list
         # form V8 can hold — the actual multipart upload happens later
-        # in `build_multipart_body` during form submission.
+        # in `encode_entry_list` during form submission.
         coerced = coerce_set_value(value)
         # For date/time-shaped inputs we need the type-specific
         # string. Probe the handle's `type` and re-format Date / Time
@@ -1375,7 +1404,7 @@ module Capybara
       def consume_pending_form_submit
         pending = @runtime.call('__csimTakePendingFormSubmit')
         return unless pending.is_a?(Hash) && pending['formHandle']
-        submit_form_handle(pending['formHandle'].to_i, pending['submitterHandle'])
+        submit_form_handle(pending['formHandle'].to_i, pending['submitterHandle'], pending['entryList'])
       end
 
       # Pin the URL the page is at as a user action BEGINS — the FIRST line of
@@ -1475,7 +1504,9 @@ module Capybara
         url    = pending['url'].to_s
         target = pending['target'].to_s
         if !target.empty? && !%w[_self _top _parent].include?(target.downcase) && @driver.respond_to?(:open_aux_window)
-          @driver.open_aux_window(resolve_against_current(url, use_base: true), source: self, blob_snapshot: pending['blob'])
+          # `opener` reflects rel=opener (a bare target=_blank link is noopener);
+          # open_aux_window forces noopener anyway for a cross-partition blob.
+          @driver.open_aux_window(resolve_against_current(url, use_base: true), source: self, opener: !!pending['opener'], blob_snapshot: pending['blob'])
         elsif pure_fragment_navigation?(url)
           update_current_hash(url)
         else
@@ -1607,11 +1638,34 @@ module Capybara
       def go_back        ; history_go(-1, force: true) ; end
       def go_forward     ; history_go(+1, force: true) ; end
 
+      # Reset the session history to empty WITHOUT the full `reset!` (cookies /
+      # storage / viewport / frame scope stay put). A single session that visits
+      # many documents in sequence — the WPT conformance runner reuses one for
+      # the whole 1645-file suite — otherwise accumulates every prior visit's
+      # history entry, so a document that calls `history.back()` (e.g. a bfcache
+      # round-trip test) traverses the SHARED history back into the PREVIOUS
+      # document and re-runs it. Clearing history per visit confines each
+      # document's back / forward to its own navigations, matching a real
+      # browser's fresh-browsing-context isolation, so results don't depend on
+      # visit order. Not wired into `visit` itself — a normal session keeps
+      # cross-`visit` back-navigation (Selenium parity); only callers that want
+      # per-document isolation invoke it.
+      def reset_history!
+        @history.clear
+        @history_idx              = -1
+        @pending_history_traverse = nil
+      end
+
       # Move through the history stack by `delta`. Per HTML spec, a
       # same-document traversal (within a chain of pushState entries
       # rooted at a single navigation) updates `location` and fires
       # `popstate` with the entry's state — no full reload. A cross-
       # document traversal replays the entry (full navigate / re-POST).
+      # Returns the traversal kind so a cross-window caller
+      # (`window_history_go`) knows whether to fire the target window's
+      # deferred `load`: `:same_document` (pushState traversal — popstate
+      # already fired, no load), `:cross_document` (full document replay —
+      # load follows), or `nil` (no-op: zero delta / out of range).
       def history_go(delta, force: false)
         delta = delta.to_i
         return if delta == 0
@@ -1626,10 +1680,13 @@ module Capybara
           @current_url = entry[:url]
           @runtime.call('__csimUpdateLocation', @current_url)
           @runtime.call('__csimDispatchPopState', entry[:state])
+          :same_document
         elsif force
-          # Ruby-driven (`page.go_back`) — no live JS call to interrupt,
-          # safe to rebuild the Context synchronously.
+          # Ruby-driven (`page.go_back`), or a non-active window driven by its
+          # opener (`w.history.back()`) — no live JS call on THIS window's
+          # isolate to interrupt, safe to rebuild the Context synchronously.
           perform_history_traverse(target)
+          :cross_document
         else
           # JS-driven (`history.back()` from a page handler): replaying
           # the history entry synchronously would call `rebuild_ctx`
@@ -1639,6 +1696,7 @@ module Capybara
           # and drain after the call returns — mirrors
           # `location_assign` / `location_reload`.
           @pending_history_traverse = target
+          :cross_document
         end
       end
 
@@ -1649,8 +1707,29 @@ module Capybara
       end
 
       private def perform_history_traverse(target)
+        capture_outgoing_form_state
         @history_idx = target
         replay_history_entry(@history[target])
+        restore_form_state(@history[target])
+      end
+
+      # Snapshot the OUTGOING document's form-control state into the history entry
+      # we are leaving, so a later back/forward traversal to it restores the
+      # values the user/script had set (HTML "persisted user state"), not the
+      # markup defaults. Captured while the outgoing VM is still live — before
+      # record_history advances the index or boot rebuilds the context.
+      def capture_outgoing_form_state
+        return if @history_idx < 0 || (entry = @history[@history_idx]).nil?
+        state = (@runtime.call('__csimCaptureFormState') rescue nil)
+        entry[:form_state] = state if state
+      end
+
+      # Re-apply a history entry's captured form state after its document has been
+      # rebuilt. The JS setters set the dirty value flag WITHOUT firing
+      # input/change, so a restored value doesn't look like a fresh user edit.
+      def restore_form_state(entry)
+        return unless entry && (state = entry[:form_state])
+        @runtime.call('__csimRestoreFormState', state) rescue nil
       end
 
       # Same-document = every entry between `from` and `to` (inclusive)
@@ -1993,22 +2072,54 @@ module Capybara
           @last_tick_ts = now
           effective_step = step_ms || horizon_fast_forward_step
           if @timers_active && effective_step > 0
-            r = @runtime.run_loop_step(effective_step)
-            # `dirtied` (settleGen changed) catches a render-phase rAF / microtask-
-            # delivered MutationObserver that mutated the DOM without firing a timer
-            # (fired == 0) — a fired-count-only test would leave a stale find cache.
-            @find_cache_dirty = true if r['dirtied'] || r['fired'].to_i > 0
+            # When the page has work runnable NOW (a rAF chain / timer burst — set
+            # by `horizon_fast_forward_step`), run the poll's worth of virtual time
+            # in frame-sized chunks so the page renders at real-browser cadence
+            # rather than one `POLL_TICK_STEP_MS` super-frame. The `step_ms` path
+            # (explicit `sleep` / `wait_for_timeout`) and idle/parked/fast-forward
+            # polls keep the single step — nothing is rendering frame-by-frame, so
+            # sub-stepping would only spin empty render phases. The tail-jump bails
+            # the moment a frame goes quiet, so a chain that settles early (or the
+            # rare quiet sub-step) doesn't pay for the unused remainder.
+            if step_ms.nil? && @page_runnable_now && effective_step > FRAME_STEP_MS
+              remaining = effective_step
+              # Share ONE task-iteration budget across the chunks so the per-poll
+              # cap matches the single-step path (each `run_loop_step` otherwise
+              # gets a fresh `RUN_LOOP_MAX_ITER`, so an always-due `setInterval(0)`
+              # busy loop could run N× the work). Exhausting it ends the poll —
+              # the clock is stuck on that loop either way.
+              iter_budget = RUN_LOOP_MAX_ITER
+              while remaining > 0 && iter_budget > 0
+                chunk = remaining < FRAME_STEP_MS ? remaining : FRAME_STEP_MS
+                r = @runtime.run_loop_step(chunk, iter_budget)
+                @find_cache_dirty = true if r['dirtied'] || r['fired'].to_i > 0
+                remaining    -= chunk
+                iter_budget  -= r['fired'].to_i
+                # Idle frame → nothing left to render frame-by-frame this poll: jump
+                # the remaining advance in one step (fires any timer parked within
+                # it). A still-queued rAF (`r['raf']`) is NOT idle — a non-mutating
+                # animation chain fires no timer and dirties nothing yet keeps
+                # rendering, so keep sub-stepping it at frame cadence.
+                if remaining > 0 && r['fired'].to_i.zero? && !r['dirtied'] && !r['raf']
+                  r = @runtime.run_loop_step(remaining, iter_budget)
+                  @find_cache_dirty = true if r['dirtied'] || r['fired'].to_i > 0
+                  break
+                end
+              end
+            else
+              r = @runtime.run_loop_step(effective_step)
+              # `dirtied` (settleGen changed) catches a render-phase rAF / microtask-
+              # delivered MutationObserver that mutated the DOM without firing a timer
+              # (fired == 0) — a fired-count-only test would leave a stale find cache.
+              @find_cache_dirty = true if r['dirtied'] || r['fired'].to_i > 0
+            end
           end
           # Pull any pending Worker / EventSource messages into JS
           # state. Without this, `evaluate_script` after kicking off
           # a worker round-trip would see stale state — the inbox
           # outbox only drains during `settle`, which doesn't run
           # for direct `execute_script` / `evaluate_script` calls.
-          @find_cache_dirty = true if deliver_worker_messages > 0
-          @find_cache_dirty = true if deliver_event_source_events > 0
-          @find_cache_dirty = true if deliver_hijacked_fetches > 0
-          @find_cache_dirty = true if deliver_window_messages > 0
-          @find_cache_dirty = true if deliver_websocket_events > 0
+          drain_async_channels
         ensure
           @ticking = false
         end
@@ -2032,6 +2143,142 @@ module Capybara
         consume_pending_download
       end
 
+      # Backstop on the per-frame quiescence loop — caps the event-loop turns
+      # processed at a single instant so a `setInterval(0)` (always-due) busy loop
+      # advances a frame and continues, rather than spinning forever. Generous:
+      # real frames here run hundreds of microtask/rAF turns (e.g. ~80 sequential
+      # rAF promise_tests, each ~2 render turns).
+      EVENT_LOOP_QUIESCENCE_CAP = 512
+
+      # Run ONE real-cadence event-loop frame and report the loop's observable
+      # state. A general primitive — it models a browser animation frame and knows
+      # nothing about any particular test harness; the WPT runner is its first
+      # caller (driving a page to completion one frame at a time). It advances the
+      # same virtual clock as the Capybara poll path: `tick_real_time` keeps its own
+      # per-poll BUDGET (a ~100 ms `horizon_fast_forward` step, tuned for app
+      # debounce observation) but, when the page has work runnable now, spends that
+      # budget in `FRAME_STEP_MS` chunks — the same frame cadence this primitive
+      # uses — so a page renders frame-by-frame regardless of which path drives it.
+      #
+      # A real browser processes EVERYTHING ready at the current instant within a
+      # single animation frame — microtasks, timers due now (incl. newly scheduled
+      # `setTimeout(0)`), the render-phase rAF callbacks, and the navigation /
+      # form-submit / worker chains they trigger — and only THEN advances ~16.67 ms
+      # to the next frame. Modelling that is essential: a multi-hop chain (a form →
+      # iframe-rebuild → onload → next-submit sequence, or N sequential rAF
+      # `promise_test`s) must complete inside a frame. Advancing the clock per host
+      # round-trip instead (the old WPT runner did ~3 `evaluate_script`s/frame, each
+      # a full ~100 ms `tick_real_time` poll tick) runs it ~20× real cadence, so a
+      # page that needs many frames trips a wall-clock-budget harness timeout long
+      # before its queue drains. Driving the loop here keeps real cadence (one frame
+      # interval per frame) while still completing the chains.
+      #
+      # Phase 1 — quiescence at the CURRENT virtual time: repeatedly run the loop
+      # with a ZERO advance (`run_loop_step(0)` fires only timers due now + the
+      # microtask checkpoints + the render phase) and drain the Ruby-side async /
+      # nav / form-submit / download chains they queue, until a turn makes no
+      # observable progress (or the backstop caps a busy loop). Phase 2 — advance
+      # exactly one frame so the next batch of timers comes due.
+      #
+      # Returns the loop state: `progressed` (this frame did real work — drives a
+      # caller's idle detection), `raf` (an animation frame is queued), `async` (a
+      # non-timer background channel — worker / SSE / hijacked fetch — is in
+      # flight), and `next_timer` (ms to the nearest scheduled timer, -1 = none, so
+      # a caller can tell a page PARKED on a near-future `setTimeout` from an idle
+      # one). Whether the page reached some application-level "done" state is the
+      # caller's concern — read it separately with `peek_script` (clock-free).
+      def run_event_loop_frame(frame_ms)
+        turns = 0
+        loop do
+          r = @runtime.run_loop_step(0)          # run only what's due NOW + microtasks + render; no clock advance
+          progressed = step_and_drain_progressed(r)
+          turns += 1
+          break unless progressed
+          break if turns >= EVENT_LOOP_QUIESCENCE_CAP
+        end
+        # Phase 2 — advance one real frame so the next batch of timers becomes due.
+        # Its work counts toward `progressed` too: a timer that first comes due in
+        # this advance (e.g. a `setTimeout(…, 8)` firing mid-frame) and the nav hop
+        # it queues are real progress, so a caller mustn't read the frame as idle.
+        frame_progressed = step_and_drain_progressed(@runtime.run_loop_step(frame_ms))
+        probe = dom_call('__csimEventLoopProbe')
+        {
+          'raf'        => !!probe['raf'],
+          'async'      => !!probe['async'],
+          # ms until the nearest scheduled timer (-1 = none). Lets a caller keep
+          # advancing while a near-future `setTimeout` is parked (a `step_timeout`-
+          # style wait) instead of declaring the page idle — see `__csimEventLoopProbe`.
+          'next_timer' => probe['nextTimer'].to_f,
+          # `turns > 1` ⇒ phase 1's quiescence did work (the trailing no-progress
+          # turn that ends the loop is the +1); OR phase 2's advance did.
+          'progressed' => turns > 1 || frame_progressed
+        }
+      end
+
+      # Drain the Ruby-side async / navigation / form-submit / download chains a
+      # `run_loop_step` (passed as `r`) may have queued, and report whether this
+      # step+drain made observable progress. Shared by both phases of
+      # `run_event_loop_frame`.
+      #
+      # A pending Ruby-side navigation/submit/reload intent counts as progress:
+      # draining it rebuilds a child frame realm and fires that iframe's `onload`
+      # synchronously, whose handler can queue the NEXT hop (submit-entity-body's
+      # `run_simple_test` chain: form.submit() → realm rebuild → onload → next
+      # form.submit()). That work happens entirely in the CHILD realm, so it bumps
+      # the child's `settleGen`, never the main realm's `settle_gen` we sample, and
+      # fires no main-realm timer. Snapshot the intent BEFORE draining: this call
+      # consumes one hop and the onload re-queues the next, which the following
+      # call sees — so the quiescence loop self-terminates when the chain ends.
+      private def step_and_drain_progressed(r)
+        pulled = drain_async_channels
+        invalidate_find_cache
+        drained_nav = pending_nav_intent?
+        drain_pending_navigation
+        consume_pending_form_submit
+        consume_pending_download
+        # `r['dirtied']` already covers settleGen changes DURING the step; compare
+        # the post-drain gen against the step's post-step gen (`r['gen']`, free —
+        # no extra crossing) to also catch a main-realm change the drains caused.
+        r['fired'].to_i.positive? || r['dirtied'] || pulled || drained_nav ||
+          @runtime.settle_gen != r['gen'].to_i
+      end
+
+      # Clock-FREE read of a JS expression in the active browsing context. Unlike
+      # `evaluate_script` (which ticks `tick_real_time` first), this is a bare
+      # `dom_call` and advances no virtual time — so a caller polling page state
+      # once per `run_event_loop_frame` (e.g. the WPT runner checking its harness's
+      # completion sentinel) doesn't perturb the frame cadence the loop maintains.
+      def peek_script(expr)
+        dom_call('__csimEvalScript', expr.to_s, marshal_args([]))
+      end
+
+      # Any Ruby-side navigation intent queued and waiting for `drain_pending_navigation`
+      # to act on it — the same set that method drains (location / frame nav / frame
+      # submit / frame reload / reload / history traverse). The quiescence loop treats
+      # a queued intent as progress because draining it does cross-realm work (rebuild
+      # a child frame realm + fire its `onload`) that the main-realm `settleGen` /
+      # fired-timer signals can't see. Aux-window opens are intentionally excluded:
+      # they build a separate Browser, not a hop in a same-page chain.
+      private def pending_nav_intent?
+        !@pending_location.nil? ||
+          @pending_reload ||
+          !@pending_history_traverse.nil? ||
+          !(@pending_frame_nav || {}).empty? ||
+          !(@pending_frame_submit || []).empty? ||
+          !(@pending_frame_reload || []).empty?
+      end
+
+      # Pull every background async channel (Worker / EventSource / hijacked fetch
+      # / postMessage / WebSocket) into JS state, marking the find cache dirty if
+      # any delivered. Shared by `tick_real_time` and `run_event_loop_frame`.
+      # Returns true if any channel delivered.
+      private def drain_async_channels
+        n = deliver_worker_messages + deliver_event_source_events + deliver_hijacked_fetches +
+            deliver_window_messages + deliver_websocket_events
+        @find_cache_dirty = true if n.positive?
+        n.positive?
+      end
+
       # This tick's deterministic virtual-clock advance (ms). Default is the fixed
       # `POLL_TICK_STEP_MS` — never wall-derived, so per-poll JS/Ruby/GC cost cannot
       # shift WHEN a timer fires (the wall-sync↔perf coupling this replaces). When
@@ -2040,6 +2287,11 @@ module Capybara
       # it — but only after the transient-guard window so pre-debounce states are
       # still observed across several polls. `FF_HORIZON_MS=0` ⇒ pure fixed-step.
       def horizon_fast_forward_step
+        # Whether the page has work runnable at the CURRENT instant (a rAF or a
+        # due-now timer). Only then does `tick_real_time` sub-step the advance into
+        # frames — an idle/parked poll has nothing to render frame-by-frame, so it
+        # stays a single step (no extra render phases on the common idle-wait poll).
+        @page_runnable_now = false
         # Escape hatch to the legacy wall-sync clock (virtual advance = real
         # wall-elapsed per poll). The deterministic model decouples perf from
         # timing but can't match a real browser's wall-proportional cadence for
@@ -2064,6 +2316,7 @@ module Capybara
         # (2) Runnable now → fixed step, reset guard (not a quiet pre-debounce window).
         if delay.zero?
           @ff_transient_polls = 0
+          @page_runnable_now  = true
           return POLL_TICK_STEP_MS
         end
         # (3) Nothing parked → nothing to fast-forward to.
@@ -2109,95 +2362,161 @@ module Capybara
       attr_reader :context_gen
 
       # Pulls the serialised form-state out of JS, encodes it, and
-      # drives the Rack app via `navigate` (for GET) or a POST.
-      def submit_form_handle(form_handle, submitter_handle)
+      # drives the Rack app via `navigate` (for GET) or a POST. `entry_list` is the
+      # list JS already constructed (post-`formdata`, so a handler's append/delete
+      # is honoured); when absent (the Enter implicit-submit path) we build it from
+      # the form's own controls.
+      def submit_form_handle(form_handle, submitter_handle, entry_list = nil)
         invalidate_find_cache
         spec = dom_call('__csimFormSerialize', form_handle, submitter_handle || 0)
         return unless spec.is_a?(Hash)
         action  = spec['action'].to_s
         method  = spec['method'].to_s.upcase
         method  = 'GET' if method.empty?
-        fields  = (spec['fields'] || []).map {|pair| [pair[0].to_s, pair[1].to_s] }
-        file_inputs = spec['fileInputs'] || []
-        enctype = spec['enctype'].to_s
-        multipart = enctype.start_with?('multipart/form-data')
-        content_type = nil
-        body =
-          if multipart
-            built = build_multipart_body(fields, file_inputs)
-            content_type = built[:content_type]
-            built[:body]
-          else
-            # Non-multipart: file inputs contribute the filename only.
-            file_inputs.each do |fi|
-              picks = @file_picks && @file_picks[fi['handle'].to_i] || []
-              fields << [fi['name'].to_s, picks.first ? File.basename(picks.first) : '']
-            end
-            URI.encode_www_form(fields)
-          end
+        enctype = spec['enctype'].to_s.empty? ? 'application/x-www-form-urlencoded' : spec['enctype'].to_s.downcase
+        entries = entry_list.is_a?(Array) ? entry_list : entries_from_spec(spec)
         action_url = action.empty? ? (current_browsing_context_url || @default_host) : resolve_against_current(action)
         # A form submitted inside a frame whose target is that frame (self, or a
         # `_parent` of a ≥2-deep frame) navigates the FRAME, not the top page.
         frame_entry = frame_nav_target_entry(spec['target'])
+        # A non-frame named target (`_blank`, or a window name that isn't a frame)
+        # submits into a NEW/named browsing context — open (or reuse) an aux window,
+        # mirroring the link `target=_blank` branch. `_blank` is always a fresh window;
+        # a named target that matches THIS window's own `window.name` navigates in
+        # place (HTML named-context targeting), so it isn't a new window.
+        target = spec['target'].to_s
+        named_target = frame_entry.nil? && !target.empty? &&
+                       !%w[_self _top _parent].include?(target.downcase) &&
+                       @driver.respond_to?(:open_aux_window)
+        own_name   = named_target ? (@runtime.call('__csimReadWindowProp', false, 'name').to_s rescue '') : ''
+        new_window = named_target && (target.casecmp?('_blank') || target != own_name)
+        window_name = target.casecmp?('_blank') ? '' : target
+        # Opener exposure for a `<form target>` new context, per the link-relation
+        # model: `noopener`/`noreferrer` always drop the opener; `target=_blank`
+        # ALSO defaults to noopener unless `rel=opener` opts back in (a named target
+        # keeps its opener by default). `noreferrer` additionally empties the referrer.
+        rel_tokens  = spec['rel'].to_s.downcase.split(/\s+/)
+        no_referrer = rel_tokens.include?('noreferrer')
+        keep_opener = !no_referrer && !rel_tokens.include?('noopener') &&
+                      (target.downcase != '_blank' || rel_tokens.include?('opener'))
+        referrer    = no_referrer ? '' : (@current_url || '')
+        # Opening a new top-level browsing context consumes transient user activation.
+        @runtime.call('__csimConsumeTransientActivation') if new_window rescue nil
         if method == 'GET'
+          # GET ignores enctype: the entry list is always the urlencoded query.
+          query, = encode_entry_list(entries, 'application/x-www-form-urlencoded')
           uri = URI.parse(action_url)
-          uri.query = body unless body.empty?
-          frame_entry ? navigate_frame(uri.to_s, entry: frame_entry) : navigate(uri.to_s)
-        elsif frame_entry
-          navigate_frame_post(action_url, body, content_type || enctype, entry: frame_entry)
+          # HTML "mutate action URL" for GET: SET the query to the entry list
+          # unconditionally — an empty list clears any query the action already
+          # carried (browsers navigate to `action?`), it isn't preserved.
+          uri.query = query
+          if new_window
+            @driver.open_aux_window(uri.to_s, name: window_name, source: self,
+                                    opener: keep_opener, referrer: referrer)
+          elsif frame_entry
+            navigate_frame(uri.to_s, entry: frame_entry)
+          else
+            navigate(uri.to_s)
+          end
         else
-          navigate_post(action_url, body, content_type || enctype)
+          body, content_type = encode_entry_list(entries, enctype)
+          if new_window
+            @driver.open_aux_window(action_url, name: window_name, source: self,
+                                    opener: keep_opener, referrer: referrer,
+                                    post: {body: body, content_type: content_type})
+          elsif frame_entry
+            navigate_frame_post(action_url, body, content_type, entry: frame_entry)
+          else
+            navigate_post(action_url, body, content_type)
+          end
         end
       end
 
-      def build_multipart_body(fields, file_inputs)
-        boundary = "csim-#{SecureRandom.hex(8)}"
-        body     = String.new.force_encoding(Encoding::ASCII_8BIT)
-        fields.each do |name, value|
-          append_multipart_part(body, boundary, name, value.to_s)
-        end
-        file_inputs.each do |fi|
-          picks = file_pick_paths(fi)
-          if picks.empty?
-            append_multipart_part(body, boundary, fi['name'].to_s, '', filename: '')
-          else
-            picks.each do |path|
-              append_multipart_part(body, boundary, fi['name'].to_s, File.binread(path),
-                                    filename:     File.basename(path),
-                                    content_type: Rack::Mime.mime_type(File.extname(path)))
+      # HTML "encode the entry list" by enctype → [body, exact Content-Type]. The
+      # Content-Type is sent verbatim (no charset suffix), which the spec's
+      # form-submission resources compare exactly. text/plain is `name=value\r\n`
+      # per entry (NOT urlencoded); urlencoded (and GET) merge each file entry as
+      # its bare filename. `entries` is the ordered entry list — string
+      # {'name','value'} or file {'name','file'=>true,'filename','handle','index'}
+      # entries; a file's bytes resolve through the `@file_picks` slot.
+      def encode_entry_list(entries, enctype)
+        if enctype.start_with?('multipart/form-data')
+          boundary = "csim-#{SecureRandom.hex(8)}"
+          body     = String.new.force_encoding(Encoding::ASCII_8BIT)
+          entries.each do |e|
+            if e['file']
+              path = entry_file_path(e)
+              if path
+                append_multipart_part(body, boundary, e['name'].to_s, File.binread(path),
+                                      filename:     File.basename(path),
+                                      content_type: Rack::Mime.mime_type(File.extname(path)))
+              elsif e['b64']
+                # An in-memory `new File([…])` has no on-disk slot; its bytes are
+                # carried base64-encoded from the VM. Decode them for the part body.
+                content = e['b64'].to_s.unpack1('m')
+                ct      = e['type'].to_s
+                ct      = 'application/octet-stream' if ct.empty?
+                append_multipart_part(body, boundary, e['name'].to_s, content,
+                                      filename: e['filename'].to_s, content_type: ct)
+              else
+                append_multipart_part(body, boundary, e['name'].to_s, '', filename: e['filename'].to_s)
+              end
+            else
+              append_multipart_part(body, boundary, e['name'].to_s, e['value'].to_s)
             end
           end
+          body << "--#{boundary}--\r\n"
+          [body, "multipart/form-data; boundary=#{boundary}"]
+        else
+          pairs = entries.map {|e| [e['name'].to_s, e['file'] ? e['filename'].to_s : e['value'].to_s] }
+          if enctype == 'text/plain'
+            [pairs.map {|name, value| "#{name}=#{value}\r\n" }.join, 'text/plain']
+          else
+            [URI.encode_www_form(pairs), 'application/x-www-form-urlencoded']
+          end
         end
-        body << "--#{boundary}--\r\n"
-        {content_type: "multipart/form-data; boundary=#{boundary}", body: body}
       end
 
-      # The on-disk paths backing a file input's current selection. Each
-      # selected File reports its host-backed source (`handle`/`index` → the
-      # `@file_picks` slot recorded at `attach_file` time); this resolves bytes
-      # even when JS moved a File onto a different input (`input.files =
-      # dataTransfer.files`), whose own handle was never attached to. Falls back
-      # to the input's own handle for older serializer payloads.
-      #
-      # Only host-backed Files (from `attach_file`) resolve here; a purely
-      # in-memory `new File(['bytes'], …)` assigned via JS has no `@file_picks`
-      # slot, so a CLASSIC (non-Turbo) submit drops its bytes — the fetch/XHR
-      # path serializes those in JS (`serializeMultipart` → `blobBytes`) and is
-      # unaffected. This matches the pre-existing behaviour and covers every
-      # realistic upload (host-backed file submitted through Turbo or a plain
-      # form).
-      def file_pick_paths(fi)
-        refs = fi['files']
-        if refs.is_a?(Array) && !refs.empty?
-          refs.filter_map {|ref|
-            handle = ref['handle']
-            next if handle.nil?
-            picks = @file_picks && @file_picks[handle.to_i]
-            picks && picks[ref['index'].to_i]
-          }
-        else
-          (@file_picks && @file_picks[fi['handle'].to_i]) || []
+      # Resolve a threaded file entry's on-disk path via the `@file_picks` slot
+      # recorded at `attach_file` time (handle/index). nil for a purely in-memory
+      # `new File(['bytes'], …)` (no slot) — a CLASSIC (non-Turbo) submit then
+      # drops its bytes, while the fetch/XHR path serializes them in JS
+      # (`serializeMultipart` → `blobBytes`). This covers every realistic upload
+      # (a host-backed file submitted through Turbo or a plain form).
+      def entry_file_path(entry)
+        handle = entry['handle']
+        return nil if handle.nil?
+        picks = @file_picks && @file_picks[handle.to_i]
+        picks && picks[entry['index'].to_i]
+      end
+
+      # Build the entry list from the form's own controls, for triggers that didn't
+      # construct one in JS (the Enter implicit-submit path). Mirrors the JS FormData
+      # construction: non-file fields in tree order, then each file input's selection
+      # (one empty entry when nothing is picked). A selected File reports its
+      # host-backed source (`handle`/`index`); the older payload shape with no per-File
+      # refs falls back to the input's own handle slot.
+      def entries_from_spec(spec)
+        entries = (spec['fields'] || []).map {|pair| {'name' => pair[0].to_s, 'value' => pair[1].to_s} }
+        (spec['fileInputs'] || []).each do |fi|
+          name = fi['name'].to_s
+          refs = fi['files']
+          if refs.is_a?(Array) && !refs.empty?
+            refs.each {|ref|
+              entries << {'name' => name, 'file' => true, 'filename' => ref['name'].to_s, 'handle' => ref['handle'], 'index' => ref['index']}
+            }
+          else
+            picks = (@file_picks && @file_picks[fi['handle'].to_i]) || []
+            if picks.empty?
+              entries << {'name' => name, 'file' => true, 'filename' => '', 'handle' => nil, 'index' => nil}
+            else
+              picks.each_index {|i|
+                entries << {'name' => name, 'file' => true, 'filename' => File.basename(picks[i]), 'handle' => fi['handle'], 'index' => i}
+              }
+            end
+          end
         end
+        entries
       end
 
       def append_multipart_part(body, boundary, name, content, filename: nil, content_type: nil)
@@ -2211,14 +2530,17 @@ module Capybara
         body << "\r\n"
       end
 
-      def navigate_post(url, body, content_type, depth: 0, from_history: false)
+      def navigate_post(url, body, content_type, depth: 0, from_history: false, referer: @current_url)
         raise 'too many redirects' if depth > 10
         invalidate_find_cache
-        record_history({method: :post, url: url, body: body, content_type: content_type}) unless from_history || depth > 0
+        unless from_history || depth > 0
+          capture_outgoing_form_state
+          record_history({method: :post, url: url, body: body, content_type: content_type})
+        end
         env = Rack::MockRequest.env_for(url, method: 'POST', input: body)
         env['CONTENT_TYPE']   = content_type.empty? ? 'application/x-www-form-urlencoded' : content_type
         env['CONTENT_LENGTH'] = body.bytesize.to_s
-        apply_default_request_env(env, referer: @current_url)
+        apply_default_request_env(env, referer: referer)
         status, headers, resp_body = dispatch_rack_or_http(url, env, method: 'POST', body: body)
         merge_set_cookie(headers)
         if (loc = redirect_location(status, headers))
@@ -2386,7 +2708,14 @@ module Capybara
       # Returns nil on 4xx / fetch failure so the JS caller skips it exactly as the
       # old `__rackFetch` branch did.
       def external_asset_source(url)
-        key = resolve_against_current(url.to_s)
+        # A blob:/data:/about: document's location can't anchor an absolute-path
+        # `src=/common/…` (URI.join on a `blob:` URL yields nothing usable), but its
+        # `<base href>` points at a real http(s) origin — so for THOSE documents
+        # resolve against `<base href>` (HTML base-tag semantics) and the script loads.
+        # Ordinary http(s) pages keep the document-URL base so the hot path skips the
+        # `base_href` dom_call (CLAUDE.md rule 3).
+        needs_base = @current_url.to_s.start_with?('blob:', 'data:', 'about:')
+        key = resolve_against_current(url.to_s, use_base: needs_base)
         return nil unless key.is_a?(String)
         @@asset_src_lock.synchronize do
           if (e = @@asset_src[key])
@@ -3064,28 +3393,48 @@ module Capybara
       # worker's `__csim_workerPostMessage` host fn closes over its
       # handle and routes outgoing messages onto a shared outbox the
       # main settle drains.
-      def worker_spawn(url, shared: false)
+      def worker_spawn(url, shared: false, service: false)
         handle       = (@worker_seq += 1)
+        target       = resolve_against_current(url.to_s)
+        # A worker script from a blob: URL in a DIFFERENT storage partition than this
+        # context can't be created (cross-partition-worker-creation): the worker would
+        # run in the creating context's partition, not the blob's. Deliver an error so
+        # Worker/SharedWorker fires `onerror`, and spawn no thread. The handle is still
+        # >0 so the JS registers the worker and the queued __error reaches it.
+        if target.start_with?('blob:') && @driver.respond_to?(:cross_partition_blob?) && @driver.cross_partition_blob?(target, self)
+          return worker_fail(handle, 'Worker creation from a cross-partition blob URL is blocked')
+        end
         inbox        = Thread::Queue.new
         outbox       = @worker_outbox
         engine_class = @runtime.class
-        target       = resolve_against_current(url.to_s)
         # Resolve the worker script body on the main thread before
         # handing off to the worker. `blob:` URLs need the main VM's
         # blob registry; calling into the main runtime from a
         # non-owning thread SEGVs (V8 isolates are thread-
         # bound; quickjs.rb's VM is similarly per-thread).
         body = fetch_worker_script(target)
+        # A blob: worker script that didn't resolve (revoked / unavailable) fails the
+        # same way — fire onerror rather than spawn a worker that runs nothing.
+        return worker_fail(handle, 'Worker script could not be loaded') if target.start_with?('blob:') && body.to_s.empty?
         # Pending until the worker's initial script has run (see @worker_initializing).
         @worker_init_lock.synchronize { @worker_initializing += 1 }
         thread = Thread.new do
           Thread.current.report_on_exception = false
-          run_worker(handle, target, body, inbox, outbox, engine_class, shared: shared)
+          run_worker(handle, target, body, inbox, outbox, engine_class, shared: shared, service: service)
         end
         @workers[handle] = {thread: thread, inbox: inbox}
         handle
       end
 
+      # Fail a worker that can't be created (blocked / unloadable script): queue an
+      # error event so the JS Worker/SharedWorker fires `onerror`, spawn no thread,
+      # and return the (still >0) handle so the JS registers the worker and the error
+      # reaches it.
+      private def worker_fail(handle, message)
+        @worker_outbox << {handle: handle, kind: '__error', message: message}
+        handle
+      end
+
       def worker_post_to_worker(handle, data)
         w = @workers[handle.to_i]
         return unless w
@@ -3137,9 +3486,32 @@ module Capybara
       # `window.open(url, name)` from JS — returns the new (or reused, by name)
       # window's handle, or nil. The URL is resolved against THIS document so a
       # relative `window.open('/x')` targets the right origin/path.
-      def open_child_window(url, name)
+      def open_child_window(url, name, opener_realm_id = 0)
         return nil unless @driver.respond_to?(:open_window_from_js)
-        @driver.open_window_from_js(self, url.to_s, name.to_s)
+        @driver.open_window_from_js(self, url.to_s, name.to_s, opener_realm_id.to_i)
+      end
+
+      # A `target=_blank`/named link/area activation from a frame or window realm in
+      # THIS browser opens a new top-level auxiliary window. `opener` reflects
+      # rel=opener (a bare target=_blank is noopener); the Driver forces noopener for
+      # a cross-partition blob: target. `blob` is an optional click-time blob snapshot.
+      def open_aux_from_realm(url, opener, blob)
+        return unless @driver.respond_to?(:open_aux_window)
+        snap = blob.is_a?(Hash) ? blob : nil
+        @driver.open_aux_window(resolve_document_url(url.to_s), source: self, opener: !!opener, blob_snapshot: snap)
+      end
+
+      # Open a SAME-ORIGIN auxiliary window as a realm in THIS browser's isolate
+      # (shared heap) rather than a separate Browser/VM, returning the new realm's
+      # context id for `window.open` to wrap in a NATIVE WindowProxy — so
+      # `popup.document` is a real same-isolate Document and cross-window adoptNode
+      # works (dom/nodes/remove-and-adopt-thcrash). Returns nil to fall back to the
+      # separate-VM aux-window path. First stage: about:blank only (a non-blank
+      # same-origin URL still takes the aux path until realm URL-loading lands).
+      def open_window_realm(url, name: nil, opener_realm_id: 0)
+        return nil unless @runtime.respond_to?(:create_window_realm)
+        return nil unless url.nil?
+        @runtime.create_window_realm('', '', 'text/html', window_name: name, opener_id: opener_realm_id)
       end
 
       # `targetWindow.postMessage(data, origin)` — route to the target window's
@@ -3154,6 +3526,41 @@ module Capybara
       # route to the Driver, which reads a PRIMITIVE off the target window's VM.
       def window_get(handle, prop)     = (@driver.respond_to?(:window_read) ? @driver.window_read(handle.to_s, prop.to_s, doc: false) : nil)
       def window_doc_get(handle, prop) = (@driver.respond_to?(:window_read) ? @driver.window_read(handle.to_s, prop.to_s, doc: true)  : nil)
+      # Cross-window remote-ref RPC — SOURCE side: forward a node/object proxy op to
+      # the target window's Browser via the Driver.
+      def window_ref_get(handle, id, prop)         = (@driver.respond_to?(:window_ref_get) ? @driver.window_ref_get(handle.to_s, id, prop.to_s) : nil)
+      def window_ref_set(handle, id, prop, value)  = (@driver.window_ref_set(handle.to_s, id, prop.to_s, value) if @driver.respond_to?(:window_ref_set))
+      def window_ref_call(handle, id, method, args) = (@driver.respond_to?(:window_ref_call) ? @driver.window_ref_call(handle.to_s, id, method.to_s, args) : nil)
+      # TARGET side: execute the op against THIS window's VM (the Driver calls these
+      # on the resolved target Browser).
+      def remote_ref_get(id, prop)          = @runtime.call('__csimRemoteRefGet', id, prop.to_s)
+      def remote_ref_set(id, prop, value)
+        @runtime.call('__csimRemoteRefSet', id, prop.to_s, value)
+        # A cross-isolate property set can queue a navigation in THIS (target)
+        # window — `w.location.href = …` / `w.location = …`. Drain it (and any other
+        # pending action it triggered) so the non-active window actions it now.
+        drain_pending_after_remote_ref
+        nil
+      end
+      def remote_ref_call(id, method, args)
+        result = @runtime.call('__csimRemoteRefCall', id, method.to_s, args || [])
+        # A cross-isolate call can queue a pending action in THIS (target) window —
+        # `w.form.submit()` (form submit), `w.history.back()` (history traverse),
+        # `w.location.assign()` (navigation). Drain them so the non-active window
+        # actions them (they would otherwise wait for a Capybara action on it).
+        drain_pending_after_remote_ref
+        result
+      end
+      # Drain every deferred action a cross-isolate operation may have queued in this
+      # window: form submission, plain navigation, same-document history traversal
+      # (history.back/forward/go — restores the previous entry + fires load), and
+      # child-frame navigation. Each consume is a no-op when nothing is pending.
+      def drain_pending_after_remote_ref
+        consume_pending_form_submit
+        consume_pending_navigation
+        consume_pending_history_traverse
+        consume_pending_frame_nav
+      end
       # Read a primitive property off THIS window's globalThis / document — called
       # by the Driver to serve another window's cross-window proxy read.
       def read_property(prop, doc: false)
@@ -3162,9 +3569,13 @@ module Capybara
         nil
       end
       def set_window_location(handle, url) = (@driver.window_set_location(handle.to_s, url.to_s) if @driver.respond_to?(:window_set_location))
+      def window_history_go(handle, delta) = (@driver.respond_to?(:window_history_go) ? @driver.window_history_go(handle.to_s, delta.to_i) : false)
       def window_closed?(handle)       = @driver.respond_to?(:window_closed?)      ? @driver.window_closed?(handle.to_s)           : true
       def close_child_window(handle)   = (@driver.close_window(handle.to_s) if @driver.respond_to?(:close_window))
       def opener_handle                = @driver.respond_to?(:opener_handle_of)    ? @driver.opener_handle_of(self)                : nil
+      # Fire an aux window's own window `load` (called by its opener, deferred).
+      def fire_aux_window_load(handle)  = (@driver.fire_aux_window_load(handle.to_s) if @driver.respond_to?(:fire_aux_window_load))
+      def fire_own_window_load          = (@runtime.call('__csimFireWindowLoad') rescue nil)
 
       # Queue a cross-window message for delivery into THIS window's VM (called
       # by the Driver on the target Browser). Delivered as a `message` event the
@@ -3177,9 +3588,13 @@ module Capybara
       # cross-window event channels share these drain/pending hooks.
       def window_message_pending? = !@window_inbox.empty? || !@broadcast_inbox.empty?
 
-      # A BroadcastChannel message from another window, queued for delivery to
-      # this window's channels with the same name.
-      def enqueue_broadcast(name, data) = (@broadcast_inbox << {'name' => name.to_s, 'data' => data})
+      # A BroadcastChannel message queued for delivery to this Browser's channels.
+      # `source_realm_id` is the posting realm's context id within THIS isolate (0 =
+      # main), or nil when the post came from ANOTHER isolate (the Driver's cross-
+      # window fanout) — a nil source matches no local realm, so it reaches every one.
+      def enqueue_broadcast(name, data, source_realm_id = nil)
+        @broadcast_inbox << {'name' => name.to_s, 'data' => data, 'source' => source_realm_id}
+      end
 
       # Fire queued cross-window messages (postMessage + BroadcastChannel).
       def deliver_window_messages
@@ -3191,16 +3606,39 @@ module Capybara
         end
         unless @broadcast_inbox.empty?
           events = @broadcast_inbox.slice!(0, @broadcast_inbox.length)
-          @runtime.call('__csim_deliverBroadcasts', events)
+          # A BroadcastChannel reaches every same-origin browsing context EXCEPT the
+          # poster. Within this isolate each browsing context is a realm, so deliver to
+          # the main realm (0) and every live frame/window realm, skipping the realm
+          # that posted (it already delivered to itself in-VM via `_bcChannels`). A nil
+          # source (cross-isolate) is excluded from no realm.
+          realm_ids = @runtime.respond_to?(:frame_realm_ids) ? @runtime.frame_realm_ids : []
+          [0, *realm_ids].each do |target_id|
+            batch = events.reject {|e| e['source'] == target_id }
+            next if batch.empty?
+            if target_id.zero?
+              @runtime.call('__csim_deliverBroadcasts', batch)
+            elsif @runtime.frame_realm_alive?(target_id)
+              @runtime.realm_call(target_id, '__csim_deliverBroadcasts', batch)
+            end
+          end
           n += events.size
         end
         n
       end
 
-      # `BroadcastChannel.postMessage` in THIS window — fan out to every OTHER
-      # window's matching channels (same-window delivery happens in-VM).
-      def broadcast_to_windows(name, data)
+      # `BroadcastChannel.postMessage` in THIS window — fan out to every OTHER same-
+      # origin browsing context's matching channels (same-realm delivery happens
+      # in-VM). `source_realm_id` is the posting realm's context id. The cross-ISOLATE
+      # fanout goes through the Driver; the same-ISOLATE fanout (main ↔ sibling realms,
+      # sibling ↔ sibling) is queued here and delivered per-realm by
+      # `deliver_window_messages`, which skips the posting realm.
+      def broadcast_to_windows(name, data, source_realm_id = 0)
         @driver.broadcast_channel(self, name.to_s, data) if @driver.respond_to?(:broadcast_channel)
+        # Only queue for same-isolate delivery when sibling realms exist — a single-
+        # realm page already delivered to itself in-VM, so this stays zero-overhead.
+        if @runtime.respond_to?(:frame_realm_ids) && @runtime.frame_realm_ids.any?
+          enqueue_broadcast(name, data, source_realm_id.to_i)
+        end
       end
 
       # ── Image decode (libvips) ─────────────────────────────────────
@@ -3281,11 +3719,64 @@ module Capybara
           # that context would wrongly revoke a now-page-owned URL.
           if key then @blob_owners[url.to_s] = key else @blob_owners.delete(url.to_s) end
         end
+        # Record the blob's STORAGE PARTITION (this window's top-level site) in the
+        # Driver-level store so another window can resolve it only from the same
+        # partition (blob URL partitioning). Keyed by the creating Browser so the
+        # bytes are read back from wherever they live (the creator's isolate).
+        @driver.register_blob_partition(url.to_s, self, blob_partition_site) if @driver.respond_to?(:register_blob_partition)
         nil
       end
 
       def blob_resolve(url)
-        @blob_registry_lock.synchronize { @blob_registry[url.to_s] }
+        local = @blob_registry_lock.synchronize { @blob_registry[url.to_s] }
+        return local if local
+        # Not in this window's registry: a blob created in ANOTHER window/isolate is
+        # fetchable only from the SAME storage partition (cross-partition.https
+        # "fetched from a same-partition iframe" succeeds; a cross-partition fetch
+        # fails). Resolve the bytes cross-isolate from the creator and hand them back
+        # as base64 (resolveBlobBytes decodes them). The cross-isolate read enters the
+        # creator's V8 isolate, so only do it on the MAIN thread — a worker thread
+        # can't safely enter another isolate (so a same-partition WORKER fetch of a
+        # blob owned elsewhere isn't supported; a cross-partition one correctly fails).
+        # CAVEAT: bytes-only — resolveBlobBytes types a host-resolved blob as
+        # application/octet-stream (the cross-window path loses the Blob's `type`); no
+        # in-scope test reads the type on this path, and carrying it would change the
+        # __csim_blobResolve string protocol.
+        return nil unless @driver.respond_to?(:blob_partition_site_of) && @driver.respond_to?(:blob_bytes_for)
+        site = @driver.blob_partition_site_of(url.to_s)
+        return nil if site.nil? || site != blob_partition_site   # unknown / revoked / cross-partition
+        return nil if Thread.current[:csim_worker_handle]
+        data = @driver.blob_bytes_for(url.to_s, self)
+        data && Base64.strict_encode64(data[:bytes].to_s.b)
+      end
+
+      # The SITE (scheme + registrable domain) of this window's top-level document.
+      # Storage partitioning keys a blob URL on its creator's top-level site, so a
+      # same-origin iframe embedded in a cross-site top-level context is a DIFFERENT
+      # partition and can't reach the blob. Registrable domain is approximated as the
+      # host's last two dot-labels — correct for the single-label public suffixes our
+      # in-process hosts use (web-platform.test / not-web-platform.test / *.com); a
+      # full Public Suffix List isn't warranted here.
+      def blob_partition_site
+        # A blob: document's location is `blob:<innerURL>` (e.g.
+        # `blob:https://host:port/uuid`) — strip the prefix so the site derives from
+        # the inner origin, not the opaque blob: scheme. data:/about: have no host →
+        # '' (an opaque origin, never same-partition with a real one).
+        u = URI.parse(@current_url.to_s.sub(/\Ablob:/, ''))
+        host = u.host.to_s
+        return '' if host.empty?
+        labels = host.split('.')
+        # An IP literal (v4 dotted / v6 bracketed) or a ≤2-label host IS its own
+        # registrable domain; otherwise approximate eTLD+1 as the last two labels
+        # (no Public Suffix List — correct for the single-label TLDs our hosts use).
+        regd = if host.start_with?('[') || host.match?(/\A\d+(\.\d+){3}\z/) || labels.length <= 2
+          host
+        else
+          labels.last(2).join('.')
+        end
+        "#{u.scheme}://#{regd}"
+      rescue URI::Error
+        ''
       end
 
       # WHATWG URL "domain to ASCII" — the JS tr46 stub delegates non-ASCII / xn--
@@ -3295,10 +3786,25 @@ module Capybara
       # VerifyDnsLength off) — empty middle labels (`x..y`) and `_`/etc. are
       # allowed, matching whatwg-url's `domainToASCII(domain, false)`.
       def domain_to_ascii(domain)
-        URI::IDNA.whatwg_to_ascii(domain.to_s, be_strict: false)
+        d = domain.to_s
+        # An all-ASCII domain needs no IDNA mapping: WHATWG "domain to ASCII"
+        # (beStrict false) keeps it verbatim and only ASCII-lowercases it — including
+        # an `xn--` A-label whose punycode doesn't decode to a valid UTS46 label
+        # (`xn--pokxncvks` → disallowed U+3253…, or the bare `xn--`). Browsers (and the
+        # WPT urltestdata) keep those A-labels as-is; uri-idna RE-validates the decoded
+        # label and raises, which would wrongly fail the parse. So route only domains
+        # with non-ASCII codepoints (the ones that actually need punycode) through
+        # uri-idna. Forbidden host code points in an ASCII host are caught separately
+        # by whatwg-url's host parser, not here. (Residual: a host MIXING a non-ASCII
+        # label with a non-decodable `xn--` label still routes through uri-idna and
+        # fails — a narrow per-label gap no current test hits; the all-ASCII fast path
+        # covers every observed case.)
+        return d.downcase if d.ascii_only?
+        URI::IDNA.whatwg_to_ascii(d, be_strict: false)
       rescue URI::IDNA::Error
-        nil   # a genuine IDNA failure (bad punycode / disallowed codepoint) — let
-              # whatwg-url report "domain to ASCII failed". Non-IDNA errors propagate.
+        nil   # a genuine IDNA failure on a non-ASCII host (bad punycode / disallowed
+              # codepoint) — let whatwg-url report "domain to ASCII failed". Non-IDNA
+              # errors propagate.
       end
 
       # WHATWG URL "domain to Unicode" — best-effort (never fails the parse per
@@ -3334,20 +3840,62 @@ module Capybara
         # type (url-charset) is preserved so it can override <meta charset>.
         ct = "#{ct};charset=utf-8" unless ct.downcase.include?('charset')
         record_response(200, {'content-type' => ct})
+        b64 = Base64.strict_encode64(bytes.to_s.b)
+        # Make the blob URL fetchable from the document we're about to load — a blob:
+        # document that fetches itself (or a media `src` first-party load) snapshots
+        # the bytes SYNCHRONOUSLY at fetch() time, which runs DURING boot below, so the
+        # bytes must be registered in this window's @blob_registry FIRST. No partition
+        # entry — the blob keeps its original storage partition; this only makes it
+        # first-party-fetchable in the window it was navigated into.
+        @blob_registry_lock.synchronize { @blob_registry[url.to_s] = b64 }
         boot_response_into_ctx(bytes)
+        # Adopt into the in-VM store too, so a LATER resolve keeps the correct content
+        # type (the @blob_registry b64 path resolves as application/octet-stream).
+        @runtime.call('__csimAdoptBlobBytes', url.to_s, b64, content_type.to_s) rescue nil
       end
 
+      # A user-initiated `URL.revokeObjectURL`. Storage-partitioned + cross-isolate:
+      # the Driver vetoes a cross-partition revoke (a same-origin but cross-top-level-
+      # site context can't revoke the blob — cross-partition.https) and, for a
+      # same-partition revoke, invalidates the blob in the CREATOR's isolate too so
+      # every window stops resolving it (the blob may have been created in another
+      # window). (Context-teardown revokes go through revoke_owned_blobs, not here.)
       def blob_unregister(url)
-        @blob_registry_lock.synchronize { @blob_registry.delete(url.to_s); @blob_owners.delete(url.to_s) }
+        if @driver.respond_to?(:revoke_blob_partitioned)
+          return nil unless @driver.revoke_blob_partitioned(url.to_s, self)
+        elsif @driver.respond_to?(:unregister_blob_partition)
+          @driver.unregister_blob_partition(url.to_s)
+        end
+        drop_local_blob(url)
         nil
       end
 
+      # Forget a blob URL in THIS isolate: its validity marker / bytes in
+      # @blob_registry and its in-VM store entry. Called for a local revoke and, via
+      # the Driver, when another same-partition window revokes a blob this isolate
+      # created. The @blob_registry removal is the AUTHORITATIVE invalidation
+      # (resolveBlobBytes gates on it cross-realm); the in-VM `__csimDropBlob` is a
+      # same-thread V8 call, so it's skipped on a worker thread — a worker's
+      # `revokeObjectURL` forwards here on the WORKER thread, and calling a
+      # thread-confined isolate from a non-owning thread SEGVs (V8/quickjs isolates
+      # are thread-bound). The stale in-VM entry is harmless: resolveBlobBytes returns
+      # null once the registry marker is gone.
+      def drop_local_blob(url)
+        @blob_registry_lock.synchronize { @blob_registry.delete(url.to_s); @blob_owners.delete(url.to_s) }
+        return if Thread.current[:csim_worker_handle]   # worker thread: the registry removal above is enough
+        @runtime.call('__csimDropBlob', url.to_s) rescue nil
+      end
+
       # Revoke every blob URL owned by a context that's going away (its blob URL
       # store is part of the global being torn down).
       def revoke_owned_blobs(key)
-        @blob_registry_lock.synchronize do
+        revoked = @blob_registry_lock.synchronize do
           urls = @blob_owners.select {|_url, owner| owner == key }.keys
           urls.each {|url| @blob_registry.delete(url); @blob_owners.delete(url) }
+          urls
+        end
+        if @driver.respond_to?(:unregister_blob_partition)
+          revoked.each {|url| @driver.unregister_blob_partition(url) }
         end
       end
       # Keys are normalized with `.to_i` on BOTH sides (register tags
@@ -3473,6 +4021,17 @@ module Capybara
       }.freeze
       private_constant :MIME_TO_VIPS_EXT
 
+      # The canonical MIME for each format we actually encode. An unsupported
+      # request type maps to '.png' below, so the encoded format (and the type
+      # we report back to the canvas) is image/png — matching the toBlob /
+      # toDataURL "unsupported type falls back to image/png" rule.
+      EXT_TO_MIME = {
+        '.jpg'  => 'image/jpeg',
+        '.webp' => 'image/webp',
+        '.png'  => 'image/png'
+      }.freeze
+      private_constant :EXT_TO_MIME
+
       def encode_image(pixels_ref, width, height, mime_type = 'image/png', quality = 90)
         host_image_op('encode_image') {
           require 'vips' unless defined?(Vips)
@@ -3483,7 +4042,7 @@ module Capybara
           img = Vips::Image.new_from_memory_copy(raw, w, h, 4, :uchar)
           ext = MIME_TO_VIPS_EXT[mime_type.to_s.downcase] || '.png'
           opts = (ext == '.jpg' || ext == '.webp') ? {Q: quality.to_i} : {}
-          {'refId' => transfer_buffer_stash(img.write_to_buffer(ext, **opts))}
+          {'refId' => transfer_buffer_stash(img.write_to_buffer(ext, **opts)), 'mime' => EXT_TO_MIME[ext]}
         }
       end
 
@@ -3493,7 +4052,7 @@ module Capybara
       # `build_worker` factory, evaluates the worker script, then
       # loops draining microtasks + timers + inbox until `:terminate`
       # lands or an exception propagates.
-      private def run_worker(handle, url, body, inbox, outbox, engine_class, shared: false)
+      private def run_worker(handle, url, body, inbox, outbox, engine_class, shared: false, service: false)
         # Release the spawn-time `@worker_initializing` count exactly once, however
         # this method exits (normal start, `self.close()`, or an exception), so
         # worker_pending? doesn't stay stuck true forever.
@@ -3518,6 +4077,9 @@ module Capybara
         # resolve chunks against the worker's own origin rather than
         # the snapshot-time `http://placeholder/`.
         rt.eval("globalThis.__csimUpdateLocation(#{JSON.generate(url.to_s)});")
+        # A service worker runs in a ServiceWorkerGlobalScope: adjust the worker scope
+        # (no blob-URL minting; SW lifecycle stubs) BEFORE its script runs.
+        rt.eval('__csim_installServiceWorkerScope();') if service
         rt.eval(body)
         rt.drain_microtasks
         # A SharedWorker fires `connect` AFTER its script set `self.onconnect`; the
@@ -3531,16 +4093,25 @@ module Capybara
         release_init.call
         # A worker that called `self.close()` in its top-level script stops here —
         # the script ran (and may have posted), but no further messages are pulled.
-        unless rt.eval('!!globalThis.__csimWorkerClosed')
+        unless rt.call('__csimWorkerClosedRead')
           loop do
             msg = pop_with_timeout(inbox, WORKER_POLL_INTERVAL)
             break if msg == :terminate
-            if msg
-              rt.call('__csim_workerOnMessage', msg)
+            rt.call('__csim_workerOnMessage', msg) if msg
+            # Drive the worker's OWN event loop each tick: a message handler OR an
+            # AUTONOMOUS loop (the dispatcher executor-worker's receive→fetch→setTimeout
+            # retry, which has no inbox message) may have pending timers. Drain ~one poll
+            # interval (WorkerRuntime#drain_timers advances the worker clock a step) so
+            # they progress; worker http fetch is setTimeout(0)+__rackFetch, resolved on
+            # this thread by the drain. Gated on a PENDING timer (any, not just due-now —
+            # the clock must advance to fire a future randomDelay) so an idle
+            # message-driven worker with no timers stays lazy. Host CALLS, not string
+            # `eval`, keep the per-tick cost off the V8 compile path (rule 3).
+            if rt.call('__nextTimerDelay').to_f >= 0
               rt.drain_microtasks
-              rt.drain_timers if rt.has_ready_timer?
-              break if rt.eval('!!globalThis.__csimWorkerClosed')
+              rt.drain_timers
             end
+            break if rt.call('__csimWorkerClosedRead')
           end
         end
       rescue StandardError => e
@@ -3558,6 +4129,13 @@ module Capybara
       private def fetch_worker_script(url)
         u = url.to_s
         if u.start_with?('blob:')
+          # Resolve via the Driver's partition store so a SAME-partition blob created
+          # in ANOTHER window/isolate (the cross-partition-worker-creation test creates
+          # the blob in the opener and the worker in a same-site iframe) is readable.
+          # Falls back to this realm's own store when there's no Driver entry.
+          if @driver.respond_to?(:blob_bytes_for) && (data = @driver.blob_bytes_for(u, self))
+            return data[:bytes]
+          end
           b64 = @runtime.call('__csimReadBlobBase64', u)
           return nil unless b64
           return Base64.decode64(b64.to_s)
@@ -3940,6 +4518,9 @@ module Capybara
         (@pending_frame_nav ||= {})[realm_id] = url.to_s
       end
       def consume_pending_frame_nav
+        # Window-realm self-navs are realm navs too — drain them at every frame-nav
+        # drain point (before the frame-nav early-return so a window-only nav lands).
+        consume_pending_window_nav
         return if @pending_frame_nav.nil? || @pending_frame_nav.empty?
         navs = @pending_frame_nav
         @pending_frame_nav = nil
@@ -3963,6 +4544,44 @@ module Capybara
           log_console('warn', "frame self-navigation failed: #{e.message}")
         end
       end
+      # A same-origin WINDOW realm (window.open in this isolate) navigating itself
+      # via `win.location = …`. Like frame_navigate_self, defer (the call lands here
+      # from the realm's own location setter, mid-flight) and drain after the action.
+      # A blob: URL is resolved to bytes NOW — before the opener's typical immediate
+      # `revokeObjectURL` — since the realm reload happens later (url-in-tags-revoke).
+      def window_realm_navigate_self(url, realm_id)
+        return if realm_id.nil? || realm_id.zero?
+        spec = {url: url.to_s}
+        if url.to_s.start_with?('blob:') && (b = read_blob_for_window(url.to_s))
+          # The blob's bytes arrive BINARY-tagged (Base64-decoded). __csimLoadDocument
+          # HTML-parses TEXT, and a BINARY string marshals to V8 as a Uint8Array (not a
+          # String), which `String(...)`s to comma-joined digits — a script-less doc. Decode
+          # to UTF-8 text like every other load path (see RuntimeShared.utf8_text).
+          spec[:body]  = RuntimeShared.utf8_text(b[:bytes])
+          spec[:ctype] = b[:type].to_s.empty? ? 'text/html' : b[:type]
+        end
+        (@pending_window_nav ||= {})[realm_id] = spec
+      end
+      def consume_pending_window_nav
+        return if @pending_window_nav.nil? || @pending_window_nav.empty?
+        navs = @pending_window_nav
+        @pending_window_nav = nil
+        navs.each do |realm_id, spec|
+          invalidate_find_cache
+          body, ctype = spec[:body], spec[:ctype]
+          # http(s) / relative URL window-realm nav (rack fetch) is not modeled yet —
+          # only the blob/in-memory document case (which pre-resolved bytes above)
+          # loads here. Warn rather than silently drop so an unsupported popup
+          # navigation is diagnosable instead of looking like a frozen about:blank.
+          if body.nil?
+            log_console('warn', "window-realm navigation to #{spec[:url]} not modeled (only blob: documents load); ignoring")
+            next
+          end
+          @runtime.reload_window_realm(realm_id, spec[:url], body.to_s, ctype.to_s)
+        rescue StandardError => e
+          log_console('warn', "window realm self-navigation failed: #{e.message}")
+        end
+      end
       # Mirror of `location_assign`'s deferral for `location.reload()`:
       # the JS call lands here from `__locationReload`; running
       # `browser.refresh` directly would `navigate` (rebuilding the
@@ -4029,11 +4648,103 @@ module Capybara
           sub = @runtime.realm_call(realm_id, '__csimTakePendingFormSubmit')
           next unless sub.is_a?(Hash) && sub['formHandle']
           invalidate_find_cache
-          submit_form_in_realm(realm_id, sub['formHandle'], sub['submitterHandle'])
+          submit_form_in_realm(realm_id, sub['formHandle'], sub['submitterHandle'], sub['entryList'])
         rescue StandardError => e
           log_console('warn', "nested-context form submission failed: #{e.message}")
         end
       end
+      # ── Frame session history ──────────────────────────────────────────────
+      # A nested browsing context (iframe) keeps its OWN back/forward history of
+      # the documents it navigates through, with each entry's form-control state
+      # captured for restoration (HTML "persisted user state" / bfcache). Keyed by
+      # [parent realm, iframe element handle] — stable across the frame-realm
+      # rebuilds a navigation triggers (the element outlives its realm).
+      #
+      # `iframe.contentWindow.history.back()` runs while the frame realm is on the
+      # V8 stack, so (like frame_navigate_self) DEFER the traversal and drain it
+      # after the call returns — rebuilding the realm inline would terminate it.
+      def frame_history_go(realm_id, delta)
+        return if realm_id.nil? || realm_id.zero?
+        @pending_frame_traverse = {realm_id: realm_id, delta: delta.to_i}
+      end
+      def consume_pending_frame_traverse
+        return if @pending_frame_traverse.nil?
+        pt = @pending_frame_traverse
+        @pending_frame_traverse = nil
+        invalidate_find_cache
+        perform_frame_traverse(pt[:realm_id], pt[:delta])
+      rescue StandardError => e
+        log_console('warn', "frame history traversal failed: #{e.message}")
+      end
+      def perform_frame_traverse(realm_id, delta)
+        # The traversal was deferred; the frame may have been disposed (a competing
+        # nav) between flag and drain — drop it gracefully.
+        return unless @runtime.frame_realm_alive?(realm_id)
+        parent = @runtime.frame_realm_parent(realm_id)
+        handle = frame_container_handle(realm_id, parent)
+        return if handle.zero?
+        h = (@frame_histories ||= {})[[parent, handle]]
+        return if h.nil?
+        target = h[:idx] + delta
+        return if target.negative? || target >= h[:entries].size
+        # Snapshot the entry we're leaving so a later forward traversal restores it.
+        h[:entries][h[:idx]] = frame_history_entry(realm_id) if h[:idx] >= 0
+        reload_frame_to_entry(realm_id, h[:entries][target])
+        h[:idx] = target   # advance only after the rebuild succeeds
+      end
+      # Record a frame navigation away from `realm_id` to `new_url`: snapshot the
+      # OUTGOING document (URL + form state) into the current entry — seeding entry
+      # 0 the first time — then drop any forward tail and push the new entry. Hooked
+      # into the frame form-submission paths; frame navigations driven by
+      # `location.href` / link clicks aren't recorded yet (history.back there falls
+      # through to the top document, as before).
+      def record_frame_nav(realm_id, new_url)
+        return if realm_id.nil? || realm_id.zero?
+        parent = @runtime.frame_realm_parent(realm_id)
+        handle = frame_container_handle(realm_id, parent)
+        return if handle.zero?
+        h = (@frame_histories ||= {})[[parent, handle]] ||= {entries: [], idx: -1}
+        outgoing = frame_history_entry(realm_id)
+        if h[:idx] >= 0
+          h[:entries][h[:idx]] = outgoing
+        else
+          h[:entries] << outgoing
+          h[:idx] = 0
+        end
+        h[:entries] = h[:entries][0..h[:idx]]
+        h[:entries] << {url: new_url.to_s, form_state: nil}
+        h[:idx] = h[:entries].size - 1
+      end
+      # The history entry for the document currently loaded in `realm_id`: its URL
+      # plus a snapshot of its form-control state.
+      def frame_history_entry(realm_id)
+        {url: frame_realm_url(realm_id), form_state: capture_frame_form_state(realm_id)}
+      end
+      def frame_realm_url(realm_id)
+        return nil unless @runtime.frame_realm_alive?(realm_id)
+        @runtime.realm_call(realm_id, '__csimLocationHref').to_s
+      rescue StandardError
+        nil
+      end
+      def capture_frame_form_state(realm_id)
+        return nil unless @runtime.frame_realm_alive?(realm_id)
+        @runtime.realm_call(realm_id, '__csimCaptureFormState')
+      rescue StandardError
+        nil
+      end
+      # Re-fetch a history entry's URL and rebuild the frame realm from it, then
+      # restore the entry's captured form state (before the element load fires).
+      def reload_frame_to_entry(realm_id, entry)
+        url = entry[:url].to_s
+        return if url.empty?
+        env = Rack::MockRequest.env_for(url, method: 'GET')
+        apply_default_request_env(env, referer: current_browsing_context_url)
+        status, headers, body = dispatch_rack_or_http(url, env, method: 'GET')
+        merge_set_cookie(headers)
+        return if download_response?(headers)
+        html = read_rack_body(body)
+        reload_frame_realm_by_id(realm_id, url, html, response_content_type(headers), restore_state: entry[:form_state])
+      end
       # Serialize + route a form submitted inside frame realm `realm_id`. We
       # serialize in the INITIATING realm (so shadow-tree controls are excluded
       # and relative URLs resolve against that document), then route by target:
@@ -4044,23 +4755,25 @@ module Capybara
       # GET fully supported. POST to a self frame needs the entered stack
       # (navigate_frame_post); POST-to-named and other targets from a nested
       # context aren't modeled (no in-scope need) — logged rather than dropped.
-      def submit_form_in_realm(realm_id, form_handle, submitter_handle)
+      def submit_form_in_realm(realm_id, form_handle, submitter_handle, entry_list = nil)
         spec = @runtime.realm_call(realm_id, '__csimFormSerialize', form_handle, submitter_handle || 0)
         return unless spec.is_a?(Hash)
         method = spec['method'].to_s.upcase
         method = 'GET' if method.empty?
         target = spec['target'].to_s
         action = spec['action'].to_s
-        fields = (spec['fields'] || []).map {|pair| [pair[0].to_s, pair[1].to_s] }
-        # Non-multipart file inputs contribute the filename only (mirror submit_form_handle's GET path).
-        (spec['fileInputs'] || []).each do |fi|
-          picks = @file_picks && @file_picks[fi['handle'].to_i] || []
-          fields << [fi['name'].to_s, picks.first ? File.basename(picks.first) : '']
-        end
-        body    = URI.encode_www_form(fields)
-        get_url = form_get_url(action, body)
+        enctype = spec['enctype'].to_s.empty? ? 'application/x-www-form-urlencoded' : spec['enctype'].to_s.downcase
+        entries = entry_list.is_a?(Array) ? entry_list : entries_from_spec(spec)
+        # GET → urlencoded query (enctype ignored); POST → enctype-encoded body.
+        get_query, = encode_entry_list(entries, 'application/x-www-form-urlencoded')
+        get_url = form_get_url(action, get_query)
         if frame_self_target?(target)
-          navigate_realm_self(realm_id, get_url, action, method, body, spec['enctype'].to_s)
+          if method == 'GET'
+            navigate_realm_self_get(realm_id, get_url)
+          else
+            body, content_type = encode_entry_list(entries, enctype)
+            navigate_realm_self_post(realm_id, resolve_against_current(action), body, content_type)
+          end
         elsif %w[_parent _top _blank].include?(target.downcase)
           log_console('warn', "nested-context form submit (target=#{target.inspect}) is not modeled")
         elsif method == 'GET'
@@ -4078,30 +4791,103 @@ module Capybara
       # URL's query with the serialized entry list (dropping any pre-existing
       # query), preserving a trailing #fragment. String-based so it works on the
       # raw (possibly relative) action attribute without URI.parse fragility;
-      # the absolute equivalent of submit_form_handle's `uri.query = body`.
+      # the absolute equivalent of submit_form_handle's `uri.query = body`. An
+      # EMPTY entry list still clears the query (→ `action?`), matching browsers.
       def form_get_url(action, body)
-        return action if body.empty?
         base, _hash, frag = action.partition('#')
         path = base.split('?', 2).first
         url  = "#{path}?#{body}"
         frag.empty? ? url : "#{url}##{frag}"
       end
-      # Navigate the initiating frame realm itself (a self-targeted form submit).
-      def navigate_realm_self(realm_id, get_url, action, method, body, enctype)
+      # A self-targeted GET form submit in the initiating frame realm: navigate
+      # that frame to the action URL (query already mutated in).
+      def navigate_realm_self_get(realm_id, get_url)
+        record_frame_nav(realm_id, get_url)
         entry = @frame_stack.find {|e| e[:realm_id] == realm_id }
-        if method == 'GET'
-          if entry
-            navigate_frame(resolve_against_current(get_url), entry: entry)
-          else
-            # A frame reached via contentWindow (not on the entered stack): its
-            # owning iframe lives in the parent document — re-navigate by realm id
-            # (relative get_url resolves against the frame's base on rebuild).
-            @runtime.call('__csimNavigateFrameByRealm', realm_id, get_url)
+        if entry
+          navigate_frame(resolve_against_current(get_url), entry: entry)
+        else
+          # A frame reached via contentWindow (not on the entered stack): its
+          # owning iframe lives in its PARENT realm's document (the main realm for
+          # a top-level frame, an intermediate realm for a nested one), so route
+          # the by-realm src-reassignment there — not unconditionally to main.
+          # (relative get_url resolves against the frame's base on rebuild).
+          parent = @runtime.frame_realm_parent(realm_id)
+          frame_realm_host_call(parent, '__csimNavigateFrameByRealm', realm_id, get_url)
+        end
+      end
+      # A self-targeted POST form submit in the initiating frame realm. POST the
+      # entity body to the action URL, then rebuild that frame's realm from the
+      # response. An ENTERED frame (on @frame_stack) reuses navigate_frame_post;
+      # a frame reached via contentWindow has no stack entry, so rebuild it by
+      # realm id (recovering its container element + parent realm) and fire the
+      # iframe element's load event the GET/src path would.
+      def navigate_realm_self_post(realm_id, url, body, content_type, depth: 0)
+        raise 'too many redirects' if depth > 10
+        record_frame_nav(realm_id, url) if depth.zero?
+        entry = @frame_stack.find {|e| e[:realm_id] == realm_id }
+        return navigate_frame_post(url, body, content_type, entry: entry) if entry
+        invalidate_find_cache
+        env = Rack::MockRequest.env_for(url, method: 'POST', input: body)
+        env['CONTENT_TYPE']   = content_type.to_s.empty? ? 'application/x-www-form-urlencoded' : content_type
+        env['CONTENT_LENGTH'] = body.bytesize.to_s
+        apply_default_request_env(env, referer: current_browsing_context_url)
+        status, headers, resp_body = dispatch_rack_or_http(url, env, method: 'POST', body: body)
+        merge_set_cookie(headers)
+        if (loc = redirect_location(status, headers))
+          next_url = resolve_against_current(loc)
+          resp_body.close if resp_body.respond_to?(:close)
+          # 307/308 preserve method + body; 301/302/303 → GET the frame (routed
+          # through the realm that OWNS the iframe, as in navigate_realm_self_get).
+          if [307, 308].include?(status)
+            return navigate_realm_self_post(realm_id, next_url, body, content_type, depth: depth + 1)
           end
-        elsif entry
-          navigate_frame_post(resolve_against_current(action), body, enctype, entry: entry)
+          parent = @runtime.frame_realm_parent(realm_id)
+          return frame_realm_host_call(parent, '__csimNavigateFrameByRealm', realm_id, next_url)
+        end
+        if download_response?(headers)
+          save_downloaded_response(url, headers, resp_body)
+          return
+        end
+        reload_frame_realm_by_id(realm_id, url.to_s, read_rack_body(resp_body), response_content_type(headers))
+      end
+      # Rebuild a frame realm reached via contentWindow (no @frame_stack entry):
+      # recover its container element handle + parent realm, swap in a fresh realm
+      # built from `html`, re-point the iframe at it, and fire the element load.
+      def reload_frame_realm_by_id(realm_id, url, html, content_type, restore_state: nil)
+        parent = @runtime.frame_realm_parent(realm_id)
+        handle = frame_container_handle(realm_id, parent)
+        return if handle.zero?
+        new_id = @runtime.reload_frame_realm(realm_id, parent.to_i, url, RuntimeShared.utf8_text(html), content_type).to_i
+        return if new_id.zero?
+        begin
+          rebind_frame_realm(parent, handle, realm_id, new_id)
+          # Restore captured form state (history traversal) BEFORE the element load
+          # fires, so the restored values are in place by the time the parent's
+          # `iframe.onload` handler — and any assertion after it — runs.
+          @runtime.realm_call(new_id, '__csimRestoreFormState', restore_state) if restore_state
+          frame_realm_host_call(parent, '__csimFireFrameElementLoad', handle)
+        rescue StandardError
+          # The element rebind/load failed — don't strand the freshly built realm
+          # (it's no longer referenced by any iframe), then surface the error.
+          @runtime.dispose_frame_realm(new_id)
+          raise
+        end
+        invalidate_find_cache
+        settle
+        new_id
+      end
+      # The iframe/frame element handle that owns `realm_id`, found in the document
+      # of its parent realm (main realm for a top-level frame).
+      def frame_container_handle(realm_id, parent)
+        frame_realm_host_call(parent, '__csimGetFrameHandle', realm_id).to_i
+      end
+      # Call a host fn in the realm that OWNS an iframe (main realm for 0/nil).
+      def frame_realm_host_call(parent_realm_id, fn, *args)
+        if parent_realm_id.nil? || parent_realm_id.zero?
+          @runtime.call(fn, *args)
         else
-          log_console('warn', "nested-context self-form POST (realm #{realm_id}) is not modeled")
+          @runtime.realm_call(parent_realm_id, fn, *args)
         end
       end
       def drain_pending_navigation
@@ -4109,6 +4895,7 @@ module Capybara
         consume_pending_frame_nav
         consume_pending_frame_submit
         consume_pending_frame_reload
+        consume_pending_frame_traverse
         consume_pending_reload
         consume_pending_history_traverse
         consume_pending_aux_window
@@ -4404,7 +5191,10 @@ module Capybara
             boot_response_into_ctx('')
             return
           end
-          record_history({method: :get, url: url}) unless from_history || depth > 0
+          unless from_history || depth > 0
+            capture_outgoing_form_state
+            record_history({method: :get, url: url})
+          end
           env = Rack::MockRequest.env_for(url, method: 'GET')
           apply_default_request_env(env, referer: referer)
           status, headers, body = dispatch_rack_or_http(url, env, method: 'GET')
@@ -4471,7 +5261,9 @@ module Capybara
         @runtime.rebuild_ctx
         # A full page (re)build disposes every frame realm, so any active
         # `within_frame` scope is now stale — fall back to the main document.
+        # Per-frame session histories are scoped to this document tree; drop them.
         reset_frame_scope
+        @frame_histories = nil
         reset_timer_state
         # The response content type drives both the parser choice (XML vs HTML —
         # XHTML/XML/SVG parse case-sensitively, no html/head/body skeleton,
@@ -4518,6 +5310,22 @@ module Capybara
         end
         opts['userAgent'] = @default_user_agent if @default_user_agent
         @document_handle = @runtime.call('__csimBootContext', opts).to_i
+        # Drain the app's deferred external-script (chunk) boot chain to quiescence.
+        # A dynamically-inserted external <script> runs async (setTimeout 0; HTML
+        # "prepare the script" force-async), so a module/chunk loader's scripts
+        # haven't executed when boot returns — leaving the page half-booted, where a
+        # negative assertion (have_no_*) passes early or a reactive control (a toggle
+        # whose handler a chunk wires up) does nothing. `run_loop_step(0)` fires only
+        # ALREADY-due timers (the setTimeout(0) chunks + their .then chains, which
+        # may insert further due-now chunks), NOT delayed app timers — so the lazy
+        # wall-sync clock is preserved (smoke_spec "queries DOM before advancing
+        # pending timers"). Bounded by the finite pending-script count.
+        if @runtime.respond_to?(:run_loop_step)
+          BOOT_SCRIPT_DRAIN_MAX_ITER.times do
+            break if @runtime.call('__csimPendingExternalScriptCount').to_i.zero?
+            @runtime.run_loop_step(0, SETTLE_MAX_ITER_TASKS, yield_on_gen: false)
+          end
+        end
         @polling_grace = POST_NAV_POLL_GRACE_POLLS
       end
 
@@ -4638,10 +5446,20 @@ module Capybara
         net_http_fetch(url, env, method: method, body: body) || @app.call(env)
       end
 
+      # Whether this is a universal-server context (the WPT runner's wptserve shim
+      # serves every host in-process). Gates cross-origin eager frame building: in
+      # such a context a cross-origin iframe's content IS served locally, so it
+      # eager-builds; an ordinary app leaves cross-origin frames lazy (= baseline),
+      # so an external embed isn't eager-fetched. A simple flag, NOT per-URL —
+      # url_is_local? compares only host:port (ignoring scheme) and treats a missing
+      # ref origin as local, which would eager-build frames the baseline left lazy.
+      def all_hosts_local? = @all_hosts_local
+
       # Path-only or fragment-only URLs are always against the current
       # origin. For absolute URLs, compare host:port to the cached
       # parsed @current_url (or default_host on first navigate).
       def url_is_local?(url)
+        return true if @all_hosts_local
         s = url.to_s
         return true if s.empty? || s.start_with?('/', '#', '?')
         uri = safe_uri(s)
@@ -4794,7 +5612,7 @@ module Capybara
       # within the `record_action` block, which handles begin/finish
       # step bookkeeping + on-failure DOM snapshot.
       module RecordedActions
-        def visit(url)
+        def visit(url, referer: nil)
           record_action(:visit, "visit #{url}") { super }
         end
         def refresh