This test will try to confuse the browser to show the wrong domain in the URL bar by opening a new window
and then rewriting the location of the new window from the parent. The new window will show a message that
the address bar has been spoofed. Tap "New Window", then return to this tab, and tap "Spoof" to see the
address bar change to "https://broken.third-party.site". If it doesn't show as such, the browser is not
vulnerable to this attack. Note: this won't work if run from broken.third-party.site. Ensure it is run from
another origin such as https://privacy-test-pages.site.