Index: content/browser/tab_contents/navigation_controller.cc |
diff --git a/content/browser/tab_contents/navigation_controller.cc b/content/browser/tab_contents/navigation_controller.cc |
index 4483d669dafe5ed787cf32021101ebab46529135..89af2561a25175f703bfc119e4430ac688f26e05 100644 |
--- a/content/browser/tab_contents/navigation_controller.cc |
+++ b/content/browser/tab_contents/navigation_controller.cc |
@@ -290,8 +290,15 @@ NavigationEntry* NavigationController::GetActiveEntry() const { |
NavigationEntry* NavigationController::GetVisibleEntry() const { |
if (transient_entry_index_ != -1) |
return entries_[transient_entry_index_].get(); |
- // Only return pending_entry for new navigations. |
- if (pending_entry_ && pending_entry_->page_id() == -1) |
+ // Only return the pending_entry for new (non-history), browser-initiated |
+ // navigations, in order to prevent URL spoof attacks. |
+ // Ideally we would also show the pending entry's URL for new renderer- |
+ // initiated navigations with no last committed entry (e.g., a link opening |
+ // in a new tab), but an attacker can insert content into the about:blank |
+ // page while the pending URL loads in that case. |
+ if (pending_entry_ && |
+ pending_entry_->page_id() == -1 && |
+ pending_entry_->IsBrowserInitiated()) |
return pending_entry_; |
return GetLastCommittedEntry(); |
} |