To fix the cross-site post submission bug.

content/browser/web_contents/render_view_host_manager.cc

 // Copyright (c) 2012 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/web_contents/render_view_host_manager.h"
 
 #include <utility>
 
 #include "base/command_line.h"
 #include "base/logging.h"
+#include "content/browser/child_process_security_policy_impl.h"
 #include "content/browser/debugger/devtools_manager_impl.h"
 #include "content/browser/renderer_host/render_process_host_impl.h"
 #include "content/browser/renderer_host/render_view_host_factory.h"
 #include "content/browser/renderer_host/render_view_host_impl.h"
 #include "content/browser/site_instance_impl.h"
 #include "content/browser/web_contents/navigation_controller_impl.h"
 #include "content/browser/web_contents/navigation_entry_impl.h"
 #include "content/browser/webui/web_ui_impl.h"
 #include "content/common/view_messages.h"
 #include "content/port/browser/render_widget_host_view_port.h"
@@ skipping 807 matching lines @@
         // cross-navigating (Note that we don't care about on{before}unload
         // handlers if the current RVH isn't live.)
         CommitPending();
         return render_view_host_;
       } else {
         NOTREACHED();
         return render_view_host_;
       }
     }
     // Otherwise, it's safe to treat this as a pending cross-site transition.
+    // For the cross-process Post Submission request, we need to migrate the
+    // permission to read the upload file from the old process to the
+    // new process. TODO(irobert): Not sure whether we need to revoke
+    // this permission after the POST.
+    //
+    // The second check is not redundant.
+    // For example, user did a cross-process submission from A to B,
+    // and then GoBack to A, and GoForward to B.
+    // In this case, the navigation entry maintained by the browser has
+    // the has_post_data_ set to true but the browser_initiated_post_data
+    // is pointed to an invalid address.
+    if (entry.GetHasPostData() &&
+        entry.GetBrowserInitiatedPostData()) {
+      ChildProcessSecurityPolicyImpl* policy =
+          ChildProcessSecurityPolicyImpl::GetInstance();
+      int oldID = render_view_host_->GetSiteInstance()->GetProcess()->GetID();
+      int newID =
+          pending_render_view_host_->GetSiteInstance()->GetProcess()->GetID();
+      const std::vector<webkit_glue::ResourceRequestBody::Element>* uploads =
+          entry.GetBrowserInitiatedPostData()->elements();
+      std::vector<webkit_glue::ResourceRequestBody::Element>::const_iterator
+          iter;
+      for (iter = uploads->begin(); iter != uploads->end(); ++iter) {
+        if (iter->type() ==
+                webkit_glue::ResourceRequestBody::Element::TYPE_FILE) {
+          if (policy->CanReadFile(oldID, iter->path())) {
+            policy->GrantReadFile(newID, iter->path());
+          }
+        }
+      }
+    }
 
     // Make sure the old render view stops, in case a load is in progress.
     render_view_host_->Send(
         new ViewMsg_Stop(render_view_host_->GetRoutingID()));
 
     // Suspend the new render view (i.e., don't let it send the cross-site
     // Navigate message) until we hear back from the old renderer's
     // onbeforeunload handler.  If the handler returns false, we'll have to
     // cancel the request.
     DCHECK(!pending_render_view_host_->are_navigations_suspended());
@@ skipping 111 matching lines @@
 RenderViewHostImpl* RenderViewHostManager::GetSwappedOutRenderViewHost(
     SiteInstance* instance) {
   RenderViewHostMap::iterator iter = swapped_out_hosts_.find(instance->GetId());
   if (iter != swapped_out_hosts_.end())
     return iter->second;
 
   return NULL;
 }
 
 }  // namespace content