Use the request's URL rather than the document's when deciding to swap.

content/renderer/render_view.cc

Index: content/renderer/render_view.cc
diff --git a/content/renderer/render_view.cc b/content/renderer/render_view.cc
index c25e2f380d50ce46e9e51bf55fcef7395aec1025..de27133e57e6583ec5fc8a2c3be9fcfbe2b5a35c 100644
--- a/content/renderer/render_view.cc
+++ b/content/renderer/render_view.cc
@@ -2083,8 +2083,6 @@ WebNavigationPolicy RenderView::decidePolicyForNavigation(
     return WebKit::WebNavigationPolicyIgnore;  // Suppress the load here.
   }
 
-  GURL old_url(frame->document().url());
-
   // Detect when we're crossing a permission-based boundary (e.g. into or out of
   // an extension or app origin, leaving a WebUI page, etc). We only care about
   // top-level navigations within the current tab (as opposed to, for example,
@@ -2130,6 +2128,11 @@ WebNavigationPolicy RenderView::decidePolicyForNavigation(
     }
   }
 
+  // Use the request's URL rather than the document's URL for this check.  For

[Matt Perry, 2011/08/25 18:45:20]

nit: say something like "the frame's original request's URL" to distinguish it
from the currently fetched request.

[Charlie Reis, 2011/08/25 22:07:31]

Done.

+  // a popup, the document's URL may become the opener window's URL if the
+  // opener has called document.write.  See http://crbug.com/93517.
+  GURL old_url(frame->dataSource()->request().url());
+
   // Detect when a page is "forking" a new tab that can be safely rendered in
   // its own process.  This is done by sites like Gmail that try to open links
   // in new windows without script connections back to the original page.  We