Reset previous WKBackForwardListeItem when navigating to WebUI pages.

ios/web/web_state/ui/crw_web_controller.mm

Index: ios/web/web_state/ui/crw_web_controller.mm
diff --git a/ios/web/web_state/ui/crw_web_controller.mm b/ios/web/web_state/ui/crw_web_controller.mm
index b253921a4cfe631ff41dacc1089d2dfe8a46df45..d27280f0a1a715af92954d25a340c4f74ae7948c 100644
--- a/ios/web/web_state/ui/crw_web_controller.mm
+++ b/ios/web/web_state/ui/crw_web_controller.mm
@@ -2318,6 +2318,26 @@ - (void)didFinishWithURL:(const GURL&)currentURL loadSuccess:(BOOL)loadSuccess {
   _webStateImpl->GetRequestTracker()->SetCacheModeFromUIThread(
       net::RequestTracker::CACHE_NORMAL);
 
+  // Rather than creating a new WKBackForwardListItem when loading WebUI pages,
+  // WKWebView will cache the WebUI HTML in the previous WKBackForwardListItem
+  // since it's loaded via |-loadHTML:forURL:| instead of an NSURLRequest.  As a
+  // result, the WebUI's HTML and URL will be loaded when navigating to that
+  // WKBackForwardListeItem, causing a mismatch between the visible content and

[Jackie Quinn, 2016/08/11 18:42:38]

extra e in WKBackForwardListItem.

Also could you mention explicitly is that the mismatch is the WebUI HTML being
loaded while the previous URL is shown?

[kkhorimoto, 2016/08/11 18:47:10]

Done.

+  // the visible URL.  To prevent this potential URL spoofing vulnerability,
+  // reset the previous NavigationItem's WKBackForwardListItem to force loading
+  // via NSURLRequest.
+  if (_webUIManager) {
+    web::NavigationItem* lastNavigationItem =
+        self.sessionController.previousEntry.navigationItem;
+    if (lastNavigationItem) {
+      web::WKBackForwardListItemHolder* holder =
+          web::WKBackForwardListItemHolder::FromNavigationItem(
+              lastNavigationItem);
+      DCHECK(holder);
+      holder->set_back_forward_list_item(nil);
+    }
+  }
+
   [self restoreStateFromHistory];
   _webStateImpl->OnPageLoaded(currentURL, loadSuccess);
   _webStateImpl->SetIsLoading(false);