-
clamy authored
This CL fixes a security issue where a website could succeed in spoofing the URL of a cross-process navigation by issuing an endless loop of JavaScript navigations. When the cross-site navigation was ready to commit, a renderer-initiated navigation would start, causing the deletion of the speculative RenderFrameHost. However, we would not update the visible URL for the tab, even though the load of the cross-site navigation had stopped (due to the deletion of the speculative RFH). This CL ensures that the pending NavigationEntry is deleted in that case. BUG=760342 Change-Id: Ie24beda484ebd6daca5feb17f74da921eac80ce9 Reviewed-on: https://chromium-review.googlesource.com/808924 Commit-Queue: Charlie Reis <creis@chromium.org> Reviewed-by:
Charlie Reis <creis@chromium.org> Cr-Commit-Position: refs/heads/master@{#522231}
37234337
