diff options
| author | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2018-01-29 11:11:52 +0100 |
|---|---|---|
| committer | Allan Sandfeld Jensen <allan.jensen@qt.io> | 2018-02-01 12:04:17 +0000 |
| commit | 23fb7e37aea3cf967c2d2884c6de675b5fdad276 (patch) | |
| tree | 1296c60fd983d8a8b59c4654741d778f396ca800 | |
| parent | 652815756ec6b8c1b98c7000af92deafc4d15bda (diff) | |
| download | qtwebengine-chromium-23fb7e37aea3cf967c2d2884c6de675b5fdad276.tar.gz | |
[Backport] Fix issue with pending NavigationEntry being wrongly deleted
This CL makes sure we don't delete the pending NavigationEntry when
RenderFrameHostManager::GetFrameHostForNavigation is called following a
call to NavigationController::NavigateToEntry.
BUG=796135,760342
Reviewed-on: https://chromium-review.googlesource.com/867030
Commit-Queue: Charlie Reis <creis@chromium.org>
Reviewed-by: Charlie Reis <creis@chromium.org>
Cr-Original-Commit-Position: refs/heads/master@{#529954}(cherry picked from commit 4820ab1967e126c20c98e00606ee4648f071f62f)
Reviewed-on: https://chromium-review.googlesource.com/876362
Reviewed-by: Camille Lamy <clamy@chromium.org>
Cr-Commit-Position: refs/branch-heads/3282@{#549}
Cr-Branched-From: 5fdc0fab22ce7efd32532ee989b223fa12f8171e-refs/heads/master@{#520840}
(CVE-2018-6040) [3/3]
Change-Id: I840e945db73a06cac5cd704c4241826dc75fa61d
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
| -rw-r--r-- | chromium/content/browser/frame_host/render_frame_host_manager.cc | 23 |
1 files changed, 15 insertions, 8 deletions
diff --git a/chromium/content/browser/frame_host/render_frame_host_manager.cc b/chromium/content/browser/frame_host/render_frame_host_manager.cc index 0777ffcf38f..4b9ce0f7a4a 100644 --- a/chromium/content/browser/frame_host/render_frame_host_manager.cc +++ b/chromium/content/browser/frame_host/render_frame_host_manager.cc @@ -758,6 +758,21 @@ RenderFrameHostImpl* RenderFrameHostManager::GetFrameHostForNavigation( if (!speculative_render_frame_host_ || speculative_render_frame_host_->GetSiteInstance() != dest_site_instance.get()) { + // If there is a speculative RenderFrameHost trying to commit a + // navigation, inform the NavigationController that the load of the + // corresponding NavigationEntry stopped if needed. This is the case if + // the new navigation was started from BeginNavigation. If the navigation + // was started through the NavigationController, the NavigationController + // has already updated its state properly, and doesn't need to be + // notified. + if (speculative_render_frame_host_ && + speculative_render_frame_host_->navigation_handle() && + request.from_begin_navigation()) { + frame_tree_node_->navigator()->DiscardPendingEntryIfNeeded( + speculative_render_frame_host_->navigation_handle() + ->pending_nav_entry_id()); + } + // If a previous speculative RenderFrameHost didn't exist or if its // SiteInstance differs from the one for the current URL, a new one needs // to be created. @@ -857,14 +872,6 @@ RenderFrameHostImpl* RenderFrameHostManager::GetFrameHostForNavigation( void RenderFrameHostManager::CleanUpNavigation() { CHECK(IsBrowserSideNavigationEnabled()); if (speculative_render_frame_host_) { - // If the speculative RenderFrameHost is trying to commit a navigation, - // inform the NavigationController that the load of the corresponding - // NavigationEntry stopped. - if (speculative_render_frame_host_->navigation_handle()) { - frame_tree_node_->navigator()->DiscardPendingEntryIfNeeded( - speculative_render_frame_host_->navigation_handle() - ->pending_nav_entry_id()); - } bool was_loading = speculative_render_frame_host_->is_loading(); DiscardUnusedFrame(UnsetSpeculativeRenderFrameHost()); if (was_loading) |