Don't show URL for pending new navigations initiated by the renderer.

content/browser/tab_contents/navigation_controller.cc

Index: content/browser/tab_contents/navigation_controller.cc
diff --git a/content/browser/tab_contents/navigation_controller.cc b/content/browser/tab_contents/navigation_controller.cc
index 4483d669dafe5ed787cf32021101ebab46529135..89af2561a25175f703bfc119e4430ac688f26e05 100644
--- a/content/browser/tab_contents/navigation_controller.cc
+++ b/content/browser/tab_contents/navigation_controller.cc
@@ -290,8 +290,15 @@ NavigationEntry* NavigationController::GetActiveEntry() const {
 NavigationEntry* NavigationController::GetVisibleEntry() const {
   if (transient_entry_index_ != -1)
     return entries_[transient_entry_index_].get();
-  // Only return pending_entry for new navigations.
-  if (pending_entry_ && pending_entry_->page_id() == -1)
+  // Only return the pending_entry for new (non-history), browser-initiated
+  // navigations, in order to prevent URL spoof attacks.
+  // Ideally we would also show the pending entry's URL for new renderer-
+  // initiated navigations with no last committed entry (e.g., a link opening
+  // in a new tab), but an attacker can insert content into the about:blank
+  // page while the pending URL loads in that case.
+  if (pending_entry_ &&
+      pending_entry_->page_id() == -1 &&
+      pending_entry_->IsBrowserInitiated())
     return pending_entry_;
   return GetLastCommittedEntry();
 }