Don't rely on the pending NavigationEntry for location.replace.

third_party/WebKit/LayoutTests/FlagExpectations/site-per-process

Index: third_party/WebKit/LayoutTests/FlagExpectations/site-per-process
diff --git a/third_party/WebKit/LayoutTests/FlagExpectations/site-per-process b/third_party/WebKit/LayoutTests/FlagExpectations/site-per-process
index c3a53fd2fb653de252bb5d5a45573d24fec917d6..0b99aba02a6575bd8ef11ce06d71f046f3e076a9 100644
--- a/third_party/WebKit/LayoutTests/FlagExpectations/site-per-process
+++ b/third_party/WebKit/LayoutTests/FlagExpectations/site-per-process
@@ -20,7 +20,7 @@ http/tests/security/contentSecurityPolicy/1.1/referrer-empty-http-https.html [ C
 http/tests/security/contentSecurityPolicy/1.1/referrer-invalid-http-https.html [ Crash ]
 http/tests/security/contentSecurityPolicy/1.1/referrer-never-http-https.html [ Crash ]
 http/tests/security/contentSecurityPolicy/1.1/referrer-origin-http-https.html [ Crash ]
-http/tests/security/cross-frame-access-document-direct.html [ Crash ]
+http/tests/security/cross-frame-access-document-direct.html [ Crash Timeout ]
 http/tests/security/frameNavigation/xss-ALLOWED-targeted-subframe-navigation-change.html [ Crash Timeout ]
 http/tests/security/listener/xss-inactive-closure.html [ Crash ]
 http/tests/security/listener/xss-JSTargetNode-onclick-addEventListener.html [ Crash ]