bfcache: Fix SecurityExploitBrowserTest.InvalidBeginNavigationInitiator

1) The test has been fixed by:
   https://chromium-review.googlesource.com/c/chromium/src/+/1816509
   The fix was to flush the BackForwardCache to avoid the
   FrameHostInterceptor to miss "simulating RenderFrameHostCreated" on
   the RenderFrameHost in the BackForwardCache.

2) Flushing the cache became asynchronous, which caused the test to fail
   again.
   https://chromium-review.googlesource.com/c/chromium/src/+/1807321

In this CL, instead of flushing the BackForwardCache, we create the
FrameHostInterceptor before the navigations. That way, it can correctly
index every created RenderFrameHost. It won't have to simulate receiving
RenderFrameHostCreated anymore.

Bug: 1017605
Change-Id: I882d459e53a84331f4ec8dfaa4df1b07cc160c2f
Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/1878187Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Commit-Queue: Arthur Sonzogni <arthursonzogni@chromium.org>
Cr-Commit-Position: refs/heads/master@{#709408}

content/browser/security_exploit_browsertest.cc

@@ -1337,25 +1337,18 @@ class BeginNavigationInitiatorReplacer : public FrameHostInterceptor {
 
 IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest,
                        InvalidBeginNavigationInitiator) {
-  // Explicitly isolating a.com helps ensure that this test is applicable on
-  // platforms without site-per-process.
-  IsolateOrigin("a.com");
-
-  // IsolateOrigin internally performs navigations which get stored into the
-  // back-forward cache. It needs to be flushed. The
-  // BeginNavigationInitiatorReplacer below will simulate receiving
-  // RenderFrameCreated() on every active RenderFrameHost, but it will miss the
-  // ones in the BackForwardCache. This would causes a mismatch later when it
-  // will observe RenderFrameDeleted.
   WebContentsImpl* web_contents =
       static_cast<WebContentsImpl*>(shell()->web_contents());
-  web_contents->GetController().GetBackForwardCache().Flush();
 
-  // Prepare to intercept BeginNavigation mojo IPC.  This has to be done before
+  // Prepare to intercept BeginNavigation mojo IPC. This has to be done before
   // the test creates the RenderFrameHostImpl that is the target of the IPC.
   BeginNavigationInitiatorReplacer injector(
       web_contents, url::Origin::Create(GURL("http://b.com")));
 
+  // Explicitly isolating a.com helps ensure that this test is applicable on
+  // platforms without site-per-process.
+  IsolateOrigin("a.com");
+
   // Navigate to a test page that will be locked to a.com.
   GURL main_url(embedded_test_server()->GetURL("a.com", "/title1.html"));
   EXPECT_TRUE(NavigateToURL(web_contents, main_url));

testing/buildbot/filters/bfcache.content_browsertests.filter

@@ -50,6 +50,3 @@
 # histogram is not recorded before the end of the test.
 -SignedExchangeRequestHandlerBrowserTest.Simple/3
 -SignedExchangeRequestHandlerBrowserTest.VariantMatch/3
-
-# https://crbug.com/1017605
--SecurityExploitBrowserTest.InvalidBeginNavigationInitiator