summaryrefslogtreecommitdiff
path: root/chromium/content/browser/frame_host/navigation_controller_impl.h
diff options
context:
space:
mode:
Diffstat (limited to 'chromium/content/browser/frame_host/navigation_controller_impl.h')
-rw-r--r--chromium/content/browser/frame_host/navigation_controller_impl.h51
1 files changed, 51 insertions, 0 deletions
diff --git a/chromium/content/browser/frame_host/navigation_controller_impl.h b/chromium/content/browser/frame_host/navigation_controller_impl.h
index b962bb24371..7e90cc92ce7 100644
--- a/chromium/content/browser/frame_host/navigation_controller_impl.h
+++ b/chromium/content/browser/frame_host/navigation_controller_impl.h
@@ -8,12 +8,14 @@
#include <stddef.h>
#include <stdint.h>
+#include <set>
#include <vector>
#include "base/callback.h"
#include "base/compiler_specific.h"
#include "base/gtest_prod_util.h"
#include "base/macros.h"
+#include "base/memory/weak_ptr.h"
#include "base/optional.h"
#include "base/time/time.h"
#include "build/build_config.h"
@@ -36,6 +38,35 @@ struct LoadCommittedDetails;
class CONTENT_EXPORT NavigationControllerImpl : public NavigationController {
public:
+ // This tracks one NavigationRequest navigating to a pending NavigationEntry.
+ // In some cases, several NavigationRequests are referencing the same pending
+ // NavigationEntry. For instance:
+ // - A reload requested while a reload is already in progress.
+ // - An history navigation causing several subframes to navigate.
+ //
+ // When no NavigationRequests are referencing the pending NavigationEntry
+ // anymore, it should be discarded to avoid a URL spoof.
+ //
+ // The deletion is not always immediate, because it is not possible to delete
+ // the entry while requesting a navigation to it at the same time. In this
+ // case, the deletion happens later, when returning from the function.
+ //
+ // If the pending NavigationEntry is discarded before the PendingEntryRef(s),
+ // then removing the last associated PendingEntryRef is a no-op. It is a no-op
+ // forever, even if the entry becomes the pending NavigationEntry again in the
+ // meantime. Rather than track the NavigationRequest or pending entry
+ // explicitly, this ref class simply goes into a set that gets cleared with
+ // each change to the pending entry
+ class PendingEntryRef {
+ public:
+ PendingEntryRef(base::WeakPtr<NavigationControllerImpl> controller);
+ ~PendingEntryRef();
+
+ private:
+ base::WeakPtr<NavigationControllerImpl> controller_;
+ DISALLOW_COPY_AND_ASSIGN(PendingEntryRef);
+ };
+
NavigationControllerImpl(
NavigationControllerDelegate* delegate,
BrowserContext* browser_context);
@@ -264,6 +295,11 @@ class CONTENT_EXPORT NavigationControllerImpl : public NavigationController {
// entries can be updated as needed.
void NotifyUserActivation();
+ // Tracks a new association between the current pending entry and a
+ // NavigationRequest. Callers are responsible for only calling this for
+ // requests corresponding to the current pending entry.
+ std::unique_ptr<PendingEntryRef> ReferencePendingEntry();
+
private:
friend class RestoreHelper;
@@ -491,6 +527,11 @@ class CONTENT_EXPORT NavigationControllerImpl : public NavigationController {
// at |reference_index| will get their skippable flag set to |skippable|.
void SetSkippableForSameDocumentEntries(int reference_index, bool skippable);
+ // Called when one PendingEntryRef is deleted. When all of the refs for the
+ // current pending entry have been deleted, this automatically discards the
+ // pending NavigationEntry.
+ void PendingEntryRefDeleted(PendingEntryRef* ref);
+
// ---------------------------------------------------------------------------
// The user browser context associated with this controller.
@@ -508,6 +549,14 @@ class CONTENT_EXPORT NavigationControllerImpl : public NavigationController {
// the memory management.
NavigationEntryImpl* pending_entry_;
+ // This keeps track of the NavigationRequests associated with the pending
+ // NavigationEntry. When all of them have been deleted, or have stopped
+ // loading, the pending NavigationEntry can be discarded.
+ //
+ // This is meant to avoid a class of URL spoofs where the navigation is
+ // canceled, but the stale pending NavigationEntry is left in place.
+ std::set<PendingEntryRef*> pending_entry_refs_;
+
// If a new entry fails loading, details about it are temporarily held here
// until the error page is shown (or 0 otherwise).
//
@@ -584,6 +633,8 @@ class CONTENT_EXPORT NavigationControllerImpl : public NavigationController {
// Stores frozen RenderFrameHost. Restores them on history navigation.
// See BackForwardCache class documentation.
BackForwardCache back_forward_cache_;
+ // NOTE: This must be the last member.
+ base::WeakPtrFactory<NavigationControllerImpl> weak_factory_{this};
DISALLOW_COPY_AND_ASSIGN(NavigationControllerImpl);
};
View Lorry Controller Status