-
Arthur Hemery authored
When going through NavigateFromFrameProxy, it is possible to cancel an ongoing browser initiated navigation if we have a navigation that moved from the FrameTreeNode to the RenderFrameHost already. In this case however, under specific timing conditions, and if this new navigation does not commit, we could be left in a state that has a pending navigation entry to the original browser initiated navigation, effectively spoofing the URL. To make sure we do not leave the pending navigation entry hanging, we discard it as soon as we try to do another navigation and cancel the original one. Bug: 966914 Change-Id: Ib9b66bd87f072b89465da0793296142cf8523cb9 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1751205 Commit-Queue: Arthur Hemery <ahemery@chromium.org> Reviewed-by:
Arthur Sonzogni <arthursonzogni@chromium.org> Cr-Commit-Position: refs/heads/master@{#697540}
94874276
