[ MimeHandlerView ] Fix a browser crash

Navigations to a MimeHandlerView type could finish without calling
ReadyToCommitNavigation which is when MimeHandlerViewEmbedder sets
its |render_frame_host_| reference (e.g., due to FrameTreeNode
being removed mid navigation). This adds a null check to the
DidFinishNavigation override to avoid browser crashes.

Bug: 969840
Change-Id: I2aa595a9a444cb77c10d124e6e345505b76cc81c
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1643092
Commit-Queue: Ehsan Karamad <ekaramad@chromium.org>
Reviewed-by: James MacLean <wjmaclean@chromium.org>
Cr-Commit-Position: refs/heads/master@{#666048}

extensions/browser/guest_view/mime_handler_view/mime_handler_view_embedder.cc

@@ -218,8 +218,13 @@ void MimeHandlerViewEmbedder::ReadyToCreateMimeHandlerView(
 }
 
 void MimeHandlerViewEmbedder::CheckSandboxFlags() {
-  if (!render_frame_host_->IsSandboxed(blink::WebSandboxFlags::kPlugins))
+  // If the FrameTreeNode is deleted while it has ownership of the ongoing
+  // NavigationRequest, DidFinishNavigation is called before FrameDeleted (see
+  // https://crbug.com/969840).
+  if (render_frame_host_ &&
+      !render_frame_host_->IsSandboxed(blink::WebSandboxFlags::kPlugins)) {
     return;
+  }
   // Notify the renderer to load an empty page instead.
   GetContainerManager()->LoadEmptyPage(resource_url_);
   GetMimeHandlerViewEmbeddersMap()->erase(frame_tree_node_id_);