When determining whether or not to swap processes on navigation, check the top frame's URL.

chrome/renderer/chrome_content_renderer_client.cc

Index: chrome/renderer/chrome_content_renderer_client.cc
diff --git a/chrome/renderer/chrome_content_renderer_client.cc b/chrome/renderer/chrome_content_renderer_client.cc
index 759388adf7a80b9607e5a0df5390d40610a7b2bb..eb8a541c9ba5f6f80fd1d18ca75f82f2d375906a 100644
--- a/chrome/renderer/chrome_content_renderer_client.cc
+++ b/chrome/renderer/chrome_content_renderer_client.cc
@@ -671,13 +671,14 @@ bool ChromeContentRendererClient::CrossesExtensionExtents(WebFrame* frame,
                                                           const GURL& new_url) {
   const ExtensionSet* extensions = extension_dispatcher_->extensions();
   // If the URL is still empty, this is a window.open navigation. Check the
-  // opener's URL.
+  // opener's URL. In all cases we use the top frame's URL (as opposed to our
+  // frame's) since that's what determines the type of process.
   // TODO(abarth): This code is super sketchy! Are you sure looking at the
   // opener is correct here?  This appears to let me steal my opener's
   // privileges if I can make my URL be "empty."
-  GURL old_url(frame->document().url());
+  GURL old_url(frame->top()->document().url());
   if (old_url.is_empty() && frame->opener())
-    old_url = frame->opener()->document().url();
+    old_url = frame->top()->opener()->top()->document().url();
 
   // If this is a reload, check whether it has the wrong process type.  We
   // should send it to the browser if it's an extension URL (e.g., hosted app)