Fix going back to a script-injected about:blank frame.

content/browser/frame_host/navigation_entry_impl.cc

Index: content/browser/frame_host/navigation_entry_impl.cc
diff --git a/content/browser/frame_host/navigation_entry_impl.cc b/content/browser/frame_host/navigation_entry_impl.cc
index 28f9b2ee737445cec291175534a4dc502cdabac4..abf4396df15615a54f1eff20fce8bcd5e7c86e76 100644
--- a/content/browser/frame_host/navigation_entry_impl.cc
+++ b/content/browser/frame_host/navigation_entry_impl.cc
@@ -872,8 +872,29 @@ std::set<std::string> NavigationEntryImpl::GetSubframeUniqueNames(
   NavigationEntryImpl::TreeNode* tree_node = FindFrameEntry(frame_tree_node);
   if (tree_node) {
     // Return the names of all immediate children.
-    for (TreeNode* child : tree_node->children)
+    for (TreeNode* child : tree_node->children) {
+      // Ignore subframe unique names if we would just be staying at
+      // about:blank, since the renderer should be allowed to just commit the
+      // initial blank frame those cases.  PageState doesn't matter there,
+      // because content injected into about:blank frames doesn't use it.
+      //
+      // Be careful not to include iframe srcdoc URLs, which do need their
+      // PageState.  The committed URL in that case gets rewritten to
+      // about:blank, but we can detect it in the PageState's URL.
+      //
+      // See https://crbug.com/657896 for details.
+      // TODO(creis): Find a way to detect cases when the iframe started at a
+      // real URL and later went to about:blank, since those are broken for now.
+      ExplodedPageState exploded_page_state;
+      if (DecodePageState(child->frame_entry->page_state().ToEncodedData(),
+                          &exploded_page_state)) {
+        ExplodedFrameState frame_state = exploded_page_state.top;
+        if (UTF16ToUTF8(frame_state.url_string.string()) == url::kAboutBlankURL)
+          continue;
+      }
+
       names.insert(child->frame_entry->frame_unique_name());
+    }
   }
   return names;
 }