Index: content/browser/frame_host/navigation_controller_impl.cc |
diff --git a/content/browser/frame_host/navigation_controller_impl.cc b/content/browser/frame_host/navigation_controller_impl.cc |
index 01ab901fe7d5e6c5bc9b4752cdfc21728f030c2c..fb3fee03d2ea4390be3262433758afbff367739f 100644 |
--- a/content/browser/frame_host/navigation_controller_impl.cc |
+++ b/content/browser/frame_host/navigation_controller_impl.cc |
@@ -1308,6 +1308,13 @@ bool NavigationControllerImpl::RendererDidNavigateAutoSubframe( |
// Update the current navigation entry in case we're going back/forward. |
if (entry_index != last_committed_entry_index_) { |
+ // Make sure that a subframe commit isn't changing the main frame URL. |
Avi (use Gerrit)
2015/04/30 15:25:28
Wouldn't this check also apply for DidNavManualSub
Charlie Reis
2015/04/30 16:28:28
I like that idea, but it doesn't look like there's
|
+ // Otherwise the renderer process may be confused, leading to a URL spoof. |
+ if (GetLastCommittedEntry()->GetURL() != |
+ GetEntryAtIndex(entry_index)->GetURL()) { |
+ bad_message::ReceivedBadMessage(rfh->GetProcess(), |
+ bad_message::NC_AUTO_SUBFRAME); |
+ } |
last_committed_entry_index_ = entry_index; |
DiscardNonCommittedEntriesInternal(); |
return true; |