Prevent bindings escalation on an existing NavigationEntry.

content/browser/web_contents/render_view_host_manager.cc

Index: content/browser/web_contents/render_view_host_manager.cc
diff --git a/content/browser/web_contents/render_view_host_manager.cc b/content/browser/web_contents/render_view_host_manager.cc
index 9a31ade8501e7a0c54ce9fbbfe6de8cfd013b12a..4b367273c662b38771922feeec74606194fb12b6 100644
--- a/content/browser/web_contents/render_view_host_manager.cc
+++ b/content/browser/web_contents/render_view_host_manager.cc
@@ -22,6 +22,7 @@
 #include "content/public/browser/content_browser_client.h"
 #include "content/public/browser/notification_service.h"
 #include "content/public/browser/notification_types.h"
+#include "content/public/browser/user_metrics.h"
 #include "content/public/browser/web_contents_view.h"
 #include "content/public/browser/web_ui_controller.h"
 #include "content/public/browser/web_ui_controller_factory.h"
@@ -818,6 +819,16 @@ RenderViewHostImpl* RenderViewHostManager::UpdateRendererStateForNavigate(
         delegate_->CreateWebUIForRenderManager(entry.GetURL()));
     pending_and_current_web_ui_.reset();
 
+    // If this is an existing NavigationEntry, make sure we're not granting it
+    // different bindings than it had before.  If so, note it and don't give it
+    // any bindings, to avoid a potential privilege escalation.
+    if (pending_web_ui_.get() &&
+        !entry.GetContentState().empty() &&
+        pending_web_ui_->GetBindings() != entry.bindings()) {
+      RecordAction(UserMetricsAction("ProcessSwapBindingsMismatch_RVHM"));
+      pending_web_ui_.reset();
+    }
+
     // Ensure that we have created RVHs for the new RVH's opener chain if
     // we are staying in the same BrowsingInstance. This allows the pending RVH
     // to send cross-process script calls to its opener(s).