diff --git a/Tests/LibWeb/Text/expected/HTML/img-src-in-innerHTML-crash.txt b/Tests/LibWeb/Text/expected/HTML/img-src-in-innerHTML-crash.txt
new file mode 100644
index 0000000000..f8f42fcc4f
--- /dev/null
+++ b/Tests/LibWeb/Text/expected/HTML/img-src-in-innerHTML-crash.txt
@@ -0,0 +1,2 @@
+PASS! (Didn't crash)
+data:text/png,
diff --git a/Tests/LibWeb/Text/input/HTML/img-src-in-innerHTML-crash.html b/Tests/LibWeb/Text/input/HTML/img-src-in-innerHTML-crash.html
new file mode 100644
index 0000000000..76bc46cfd0
--- /dev/null
+++ b/Tests/LibWeb/Text/input/HTML/img-src-in-innerHTML-crash.html
@@ -0,0 +1,9 @@
+<script src="../include.js"></script>
+<script>
+    test(() => {
+        let e = document.createElement("div");
+        e.innerHTML = "<img src='data:text/png,'>";
+        println("PASS! (Didn't crash)");
+        println(e.firstChild.src);
+    });
+</script>
diff --git a/Userland/Libraries/LibWeb/Bindings/HostDefined.cpp b/Userland/Libraries/LibWeb/Bindings/HostDefined.cpp
index 1523201e1f..4dd279eecf 100644
--- a/Userland/Libraries/LibWeb/Bindings/HostDefined.cpp
+++ b/Userland/Libraries/LibWeb/Bindings/HostDefined.cpp
@@ -9,6 +9,7 @@
 #include <LibWeb/Bindings/HostDefined.h>
 #include <LibWeb/Bindings/Intrinsics.h>
 #include <LibWeb/HTML/Scripting/Environments.h>
+#include <LibWeb/Page/Page.h>
 
 namespace Web::Bindings {
 
@@ -17,6 +18,7 @@ void HostDefined::visit_edges(JS::Cell::Visitor& visitor)
     JS::Realm::HostDefined::visit_edges(visitor);
     visitor.visit(environment_settings_object);
     visitor.visit(intrinsics);
+    visitor.visit(page);
 }
 
 }
diff --git a/Userland/Libraries/LibWeb/Bindings/HostDefined.h b/Userland/Libraries/LibWeb/Bindings/HostDefined.h
index ab8c7d77bf..54f49ffe4c 100644
--- a/Userland/Libraries/LibWeb/Bindings/HostDefined.h
+++ b/Userland/Libraries/LibWeb/Bindings/HostDefined.h
@@ -14,9 +14,10 @@
 namespace Web::Bindings {
 
 struct HostDefined : public JS::Realm::HostDefined {
-    HostDefined(JS::NonnullGCPtr<HTML::EnvironmentSettingsObject> eso, JS::NonnullGCPtr<Intrinsics> intrinsics)
+    HostDefined(JS::NonnullGCPtr<HTML::EnvironmentSettingsObject> eso, JS::NonnullGCPtr<Intrinsics> intrinsics, JS::NonnullGCPtr<Page> page)
         : environment_settings_object(eso)
         , intrinsics(intrinsics)
+        , page(page)
     {
     }
     virtual ~HostDefined() override = default;
@@ -24,6 +25,7 @@ struct HostDefined : public JS::Realm::HostDefined {
 
     JS::NonnullGCPtr<HTML::EnvironmentSettingsObject> environment_settings_object;
     JS::NonnullGCPtr<Intrinsics> intrinsics;
+    JS::NonnullGCPtr<Page> page;
 };
 
 [[nodiscard]] inline HTML::EnvironmentSettingsObject& host_defined_environment_settings_object(JS::Realm& realm)
@@ -31,4 +33,9 @@ struct HostDefined : public JS::Realm::HostDefined {
     return *verify_cast<HostDefined>(realm.host_defined())->environment_settings_object;
 }
 
+[[nodiscard]] inline Page& host_defined_page(JS::Realm& realm)
+{
+    return *verify_cast<HostDefined>(realm.host_defined())->page;
+}
+
 }
diff --git a/Userland/Libraries/LibWeb/DOM/Document.cpp b/Userland/Libraries/LibWeb/DOM/Document.cpp
index 3d1d54fdf6..b86e365163 100644
--- a/Userland/Libraries/LibWeb/DOM/Document.cpp
+++ b/Userland/Libraries/LibWeb/DOM/Document.cpp
@@ -236,6 +236,7 @@ WebIDL::ExceptionOr<JS::NonnullGCPtr<Document>> Document::create_and_initialize(
         // FIXME: Why do we assume `creation_url` is non-empty here? Is this a spec bug?
         // FIXME: Why do we assume `top_level_creation_url` is non-empty here? Is this a spec bug?
         HTML::WindowEnvironmentSettingsObject::setup(
+            browsing_context->page(),
             creation_url.value(),
             move(realm_execution_context),
             navigation_params.reserved_environment.visit(
@@ -321,6 +322,7 @@ JS::NonnullGCPtr<Document> Document::create(JS::Realm& realm, AK::URL const& url
 
 Document::Document(JS::Realm& realm, const AK::URL& url)
     : ParentNode(realm, *this, NodeType::DOCUMENT_NODE)
+    , m_page(Bindings::host_defined_page(realm))
     , m_style_computer(make<CSS::StyleComputer>(*this))
     , m_url(url)
 {
@@ -353,6 +355,7 @@ void Document::initialize(JS::Realm& realm)
 void Document::visit_edges(Cell::Visitor& visitor)
 {
     Base::visit_edges(visitor);
+    visitor.visit(m_page);
     visitor.visit(m_window);
     visitor.visit(m_layout_root);
     visitor.visit(m_style_sheets);
@@ -1908,12 +1911,12 @@ void Document::update_readiness(HTML::DocumentReadyState readiness_value)
 
 Page* Document::page()
 {
-    return m_browsing_context ? &m_browsing_context->page() : nullptr;
+    return m_page;
 }
 
 Page const* Document::page() const
 {
-    return m_browsing_context ? &m_browsing_context->page() : nullptr;
+    return m_page;
 }
 
 EventTarget* Document::get_parent(Event const& event)
diff --git a/Userland/Libraries/LibWeb/DOM/Document.h b/Userland/Libraries/LibWeb/DOM/Document.h
index 39ed09179f..962fde87c1 100644
--- a/Userland/Libraries/LibWeb/DOM/Document.h
+++ b/Userland/Libraries/LibWeb/DOM/Document.h
@@ -572,6 +572,7 @@ private:
 
     Element* find_a_potential_indicated_element(FlyString const& fragment) const;
 
+    JS::NonnullGCPtr<Page> m_page;
     OwnPtr<CSS::StyleComputer> m_style_computer;
     JS::GCPtr<CSS::StyleSheetList> m_style_sheets;
     JS::GCPtr<Node> m_hovered_node;
diff --git a/Userland/Libraries/LibWeb/HTML/BrowsingContext.cpp b/Userland/Libraries/LibWeb/HTML/BrowsingContext.cpp
index d872f45de5..eb54fa8fd7 100644
--- a/Userland/Libraries/LibWeb/HTML/BrowsingContext.cpp
+++ b/Userland/Libraries/LibWeb/HTML/BrowsingContext.cpp
@@ -175,6 +175,7 @@ WebIDL::ExceptionOr<BrowsingContext::BrowsingContextAndDocument> BrowsingContext
 
     // 12. Set up a window environment settings object with about:blank, realm execution context, null, topLevelCreationURL, and topLevelOrigin.
     WindowEnvironmentSettingsObject::setup(
+        page,
         AK::URL("about:blank"),
         move(realm_execution_context),
         {},
diff --git a/Userland/Libraries/LibWeb/HTML/Scripting/WindowEnvironmentSettingsObject.cpp b/Userland/Libraries/LibWeb/HTML/Scripting/WindowEnvironmentSettingsObject.cpp
index e05e71e460..b2e73abc4a 100644
--- a/Userland/Libraries/LibWeb/HTML/Scripting/WindowEnvironmentSettingsObject.cpp
+++ b/Userland/Libraries/LibWeb/HTML/Scripting/WindowEnvironmentSettingsObject.cpp
@@ -29,7 +29,7 @@ void WindowEnvironmentSettingsObject::visit_edges(JS::Cell::Visitor& visitor)
 }
 
 // https://html.spec.whatwg.org/multipage/window-object.html#set-up-a-window-environment-settings-object
-void WindowEnvironmentSettingsObject::setup(AK::URL const& creation_url, NonnullOwnPtr<JS::ExecutionContext> execution_context, Optional<Environment> reserved_environment, AK::URL top_level_creation_url, Origin top_level_origin)
+void WindowEnvironmentSettingsObject::setup(Page& page, AK::URL const& creation_url, NonnullOwnPtr<JS::ExecutionContext> execution_context, Optional<Environment> reserved_environment, AK::URL top_level_creation_url, Origin top_level_origin)
 {
     // 1. Let realm be the value of execution context's Realm component.
     auto realm = execution_context->realm;
@@ -74,7 +74,7 @@ void WindowEnvironmentSettingsObject::setup(AK::URL const& creation_url, Nonnull
     // 7. Set realm's [[HostDefined]] field to settings object.
     // Non-Standard: We store the ESO next to the web intrinsics in a custom HostDefined object
     auto intrinsics = realm->heap().allocate<Bindings::Intrinsics>(*realm, *realm);
-    auto host_defined = make<Bindings::HostDefined>(settings_object, intrinsics);
+    auto host_defined = make<Bindings::HostDefined>(settings_object, intrinsics, page);
     realm->set_host_defined(move(host_defined));
 
     // Non-Standard: We cannot fully initialize window object until *after* the we set up
diff --git a/Userland/Libraries/LibWeb/HTML/Scripting/WindowEnvironmentSettingsObject.h b/Userland/Libraries/LibWeb/HTML/Scripting/WindowEnvironmentSettingsObject.h
index 2217ec0388..5cc0a04a26 100644
--- a/Userland/Libraries/LibWeb/HTML/Scripting/WindowEnvironmentSettingsObject.h
+++ b/Userland/Libraries/LibWeb/HTML/Scripting/WindowEnvironmentSettingsObject.h
@@ -16,7 +16,7 @@ class WindowEnvironmentSettingsObject final : public EnvironmentSettingsObject {
     JS_DECLARE_ALLOCATOR(WindowEnvironmentSettingsObject);
 
 public:
-    static void setup(AK::URL const& creation_url, NonnullOwnPtr<JS::ExecutionContext>, Optional<Environment>, AK::URL top_level_creation_url, Origin top_level_origin);
+    static void setup(Page&, AK::URL const& creation_url, NonnullOwnPtr<JS::ExecutionContext>, Optional<Environment>, AK::URL top_level_creation_url, Origin top_level_origin);
 
     virtual ~WindowEnvironmentSettingsObject() override;
 
diff --git a/Userland/Libraries/LibWeb/HTML/Scripting/WorkerEnvironmentSettingsObject.cpp b/Userland/Libraries/LibWeb/HTML/Scripting/WorkerEnvironmentSettingsObject.cpp
index 78e6e9e738..4db9041f7c 100644
--- a/Userland/Libraries/LibWeb/HTML/Scripting/WorkerEnvironmentSettingsObject.cpp
+++ b/Userland/Libraries/LibWeb/HTML/Scripting/WorkerEnvironmentSettingsObject.cpp
@@ -11,7 +11,7 @@ namespace Web::HTML {
 
 JS_DEFINE_ALLOCATOR(WorkerEnvironmentSettingsObject);
 
-JS::NonnullGCPtr<WorkerEnvironmentSettingsObject> WorkerEnvironmentSettingsObject::setup(NonnullOwnPtr<JS::ExecutionContext> execution_context /* FIXME: null or an environment reservedEnvironment, a URL topLevelCreationURL, and an origin topLevelOrigin */)
+JS::NonnullGCPtr<WorkerEnvironmentSettingsObject> WorkerEnvironmentSettingsObject::setup(JS::NonnullGCPtr<Page> page, NonnullOwnPtr<JS::ExecutionContext> execution_context /* FIXME: null or an environment reservedEnvironment, a URL topLevelCreationURL, and an origin topLevelOrigin */)
 {
     auto realm = execution_context->realm;
     VERIFY(realm);
@@ -22,7 +22,7 @@ JS::NonnullGCPtr<WorkerEnvironmentSettingsObject> WorkerEnvironmentSettingsObjec
     settings_object->target_browsing_context = nullptr;
 
     auto intrinsics = realm->heap().allocate<Bindings::Intrinsics>(*realm, *realm);
-    auto host_defined = make<Bindings::HostDefined>(settings_object, intrinsics);
+    auto host_defined = make<Bindings::HostDefined>(settings_object, intrinsics, page);
     realm->set_host_defined(move(host_defined));
 
     // Non-Standard: We cannot fully initialize worker object until *after* the we set up
diff --git a/Userland/Libraries/LibWeb/HTML/Scripting/WorkerEnvironmentSettingsObject.h b/Userland/Libraries/LibWeb/HTML/Scripting/WorkerEnvironmentSettingsObject.h
index ba7d9f6d84..2b7957f048 100644
--- a/Userland/Libraries/LibWeb/HTML/Scripting/WorkerEnvironmentSettingsObject.h
+++ b/Userland/Libraries/LibWeb/HTML/Scripting/WorkerEnvironmentSettingsObject.h
@@ -24,7 +24,7 @@ public:
     {
     }
 
-    static JS::NonnullGCPtr<WorkerEnvironmentSettingsObject> setup(NonnullOwnPtr<JS::ExecutionContext> execution_context /* FIXME: null or an environment reservedEnvironment, a URL topLevelCreationURL, and an origin topLevelOrigin */);
+    static JS::NonnullGCPtr<WorkerEnvironmentSettingsObject> setup(JS::NonnullGCPtr<Page> page, NonnullOwnPtr<JS::ExecutionContext> execution_context /* FIXME: null or an environment reservedEnvironment, a URL topLevelCreationURL, and an origin topLevelOrigin */);
 
     virtual ~WorkerEnvironmentSettingsObject() override = default;
 
diff --git a/Userland/Services/WebWorker/DedicatedWorkerHost.cpp b/Userland/Services/WebWorker/DedicatedWorkerHost.cpp
index 1e75961558..85498bddf6 100644
--- a/Userland/Services/WebWorker/DedicatedWorkerHost.cpp
+++ b/Userland/Services/WebWorker/DedicatedWorkerHost.cpp
@@ -55,7 +55,7 @@ void DedicatedWorkerHost::run()
 
     // 9. Set up a worker environment settings object with realm execution context,
     //    outside settings, and unsafeWorkerCreationTime, and let inside settings be the result.
-    auto inner_settings = Web::HTML::WorkerEnvironmentSettingsObject::setup(move(realm_execution_context));
+    auto inner_settings = Web::HTML::WorkerEnvironmentSettingsObject::setup(m_page, move(realm_execution_context));
 
     auto& console_object = *inner_settings->realm().intrinsics().console_object();
     m_console = adopt_ref(*new Web::HTML::WorkerDebugConsoleClient(console_object.console()));