Use the request's URL rather than the document's when deciding to swap.

content/renderer/render_view.cc

Index: content/renderer/render_view.cc
diff --git a/content/renderer/render_view.cc b/content/renderer/render_view.cc
index ff103c73f95a7932834733b5829fbe90cd1762cf..a6e16c8f23dad020b855f0c38d7bf0a4b96bf615 100644
--- a/content/renderer/render_view.cc
+++ b/content/renderer/render_view.cc
@@ -2092,8 +2092,6 @@ WebNavigationPolicy RenderView::decidePolicyForNavigation(
     return WebKit::WebNavigationPolicyIgnore;  // Suppress the load here.
   }
 
-  GURL old_url(frame->document().url());
-
   // Detect when we're crossing a permission-based boundary (e.g. into or out of
   // an extension or app origin, leaving a WebUI page, etc). We only care about
   // top-level navigations within the current tab (as opposed to, for example,
@@ -2139,6 +2137,11 @@ WebNavigationPolicy RenderView::decidePolicyForNavigation(
     }
   }
 
+  // Use the frame's original request's URL rather than the document's URL for
+  // this check.  For a popup, the document's URL may become the opener window's
+  // URL if the opener has called document.write.  See http://crbug.com/93517.
+  GURL old_url(frame->dataSource()->request().url());
+
   // Detect when a page is "forking" a new tab that can be safely rendered in
   // its own process.  This is done by sites like Gmail that try to open links
   // in new windows without script connections back to the original page.  We