| Index: ios/web/web_state/ui/crw_web_controller.mm
|
| diff --git a/ios/web/web_state/ui/crw_web_controller.mm b/ios/web/web_state/ui/crw_web_controller.mm
|
| index d030fb24faaf1a5e22bf41d2e52141a3c8fd201d..783dc479b64dc91f3b12c6b9c12f8a4d4a8b62eb 100644
|
| --- a/ios/web/web_state/ui/crw_web_controller.mm
|
| +++ b/ios/web/web_state/ui/crw_web_controller.mm
|
| @@ -2336,6 +2336,27 @@ const NSTimeInterval kSnapshotOverlayTransition = 0.5;
|
| _webStateImpl->GetRequestTracker()->SetCacheModeFromUIThread(
|
| net::RequestTracker::CACHE_NORMAL);
|
|
|
| + // Rather than creating a new WKBackForwardListItem when loading WebUI pages,
|
| + // WKWebView will cache the WebUI HTML in the previous WKBackForwardListItem
|
| + // since it's loaded via |-loadHTML:forURL:| instead of an NSURLRequest. As a
|
| + // result, the WebUI's HTML and URL will be loaded when navigating to that
|
| + // WKBackForwardListItem, causing a mismatch between the visible content and
|
| + // the visible URL (WebUI page will be visible, but URL will be the previous
|
| + // page's URL). To prevent this potential URL spoofing vulnerability, reset
|
| + // the previous NavigationItem's WKBackForwardListItem to force loading via
|
| + // NSURLRequest.
|
| + if (_webUIManager) {
|
| + web::NavigationItem* lastNavigationItem =
|
| + self.sessionController.previousEntry.navigationItem;
|
| + if (lastNavigationItem) {
|
| + web::WKBackForwardListItemHolder* holder =
|
| + web::WKBackForwardListItemHolder::FromNavigationItem(
|
| + lastNavigationItem);
|
| + DCHECK(holder);
|
| + holder->set_back_forward_list_item(nil);
|
| + }
|
| + }
|
| +
|
| [self restoreStateFromHistory];
|
| _webStateImpl->OnPageLoaded(currentURL, loadSuccess);
|
| _webStateImpl->SetIsLoading(false);
|
|
|