I think there are some solutions to this problem. Akin to "after a back navigation, you cannot add to the history state without a user interaction"-- or better "the history stack can never grow beyond the number of user interactions". Basically, I should always be able to navigate back to the referrer in a definitive number of actions.
I think that can still be gamed by forcing nonsense interactions that seem meaningful on the user.
This is a really tricky one to solve because the protection that is intended to guard against it ("The user is aware the current domain they are accessing doesn't match the site they expect it to match") isn't working. I think that aspect is the larger problem... IRL, people know if they're standing in a Target vs. a used car dealership, but they rarely know if they're at target.com instead of target.used-car-dealership.com.
It's possible the browser's framing should be changed to make it harder to be confused about that (color-and-texture-hash the TLD and apply it to the URL bar as a background, so there's a major visual difference if I'm on the wrong site?).
