Ensure that HistoryController's current entry is updated on inert commits.

content/browser/frame_host/navigation_controller_impl.cc

Index: content/browser/frame_host/navigation_controller_impl.cc
diff --git a/content/browser/frame_host/navigation_controller_impl.cc b/content/browser/frame_host/navigation_controller_impl.cc
index 01ab901fe7d5e6c5bc9b4752cdfc21728f030c2c..fb3fee03d2ea4390be3262433758afbff367739f 100644
--- a/content/browser/frame_host/navigation_controller_impl.cc
+++ b/content/browser/frame_host/navigation_controller_impl.cc
@@ -1308,6 +1308,13 @@ bool NavigationControllerImpl::RendererDidNavigateAutoSubframe(
 
   // Update the current navigation entry in case we're going back/forward.
   if (entry_index != last_committed_entry_index_) {
+    // Make sure that a subframe commit isn't changing the main frame URL.
+    // Otherwise the renderer process may be confused, leading to a URL spoof.
+    if (GetLastCommittedEntry()->GetURL() !=
+        GetEntryAtIndex(entry_index)->GetURL()) {
+      bad_message::ReceivedBadMessage(rfh->GetProcess(),
+                                      bad_message::NC_AUTO_SUBFRAME);
+    }
     last_committed_entry_index_ = entry_index;
     DiscardNonCommittedEntriesInternal();
     return true;