Reset previous WKBackForwardListeItem when navigating to WebUI pages.

ios/web/web_state/ui/crw_web_controller.mm

Index: ios/web/web_state/ui/crw_web_controller.mm
diff --git a/ios/web/web_state/ui/crw_web_controller.mm b/ios/web/web_state/ui/crw_web_controller.mm
index d030fb24faaf1a5e22bf41d2e52141a3c8fd201d..783dc479b64dc91f3b12c6b9c12f8a4d4a8b62eb 100644
--- a/ios/web/web_state/ui/crw_web_controller.mm
+++ b/ios/web/web_state/ui/crw_web_controller.mm
@@ -2336,6 +2336,27 @@ const NSTimeInterval kSnapshotOverlayTransition = 0.5;
   _webStateImpl->GetRequestTracker()->SetCacheModeFromUIThread(
       net::RequestTracker::CACHE_NORMAL);
 
+  // Rather than creating a new WKBackForwardListItem when loading WebUI pages,
+  // WKWebView will cache the WebUI HTML in the previous WKBackForwardListItem
+  // since it's loaded via |-loadHTML:forURL:| instead of an NSURLRequest.  As a
+  // result, the WebUI's HTML and URL will be loaded when navigating to that
+  // WKBackForwardListItem, causing a mismatch between the visible content and
+  // the visible URL (WebUI page will be visible, but URL will be the previous
+  // page's URL).  To prevent this potential URL spoofing vulnerability, reset
+  // the previous NavigationItem's WKBackForwardListItem to force loading via
+  // NSURLRequest.
+  if (_webUIManager) {
+    web::NavigationItem* lastNavigationItem =
+        self.sessionController.previousEntry.navigationItem;
+    if (lastNavigationItem) {
+      web::WKBackForwardListItemHolder* holder =
+          web::WKBackForwardListItemHolder::FromNavigationItem(
+              lastNavigationItem);
+      DCHECK(holder);
+      holder->set_back_forward_list_item(nil);
+    }
+  }
+
   [self restoreStateFromHistory];
   _webStateImpl->OnPageLoaded(currentURL, loadSuccess);
   _webStateImpl->SetIsLoading(false);