Fix history nav to a script-injected about:blank frame.

content/browser/frame_host/navigation_entry_impl.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "content/browser/frame_host/navigation_entry_impl.h"
 
 #include <stddef.h>
 
 #include <queue>
 #include <utility>
@@ skipping 685 matching lines @@
     const {
   return StartNavigationParams(extra_headers(),
                                transferred_global_request_id().child_id,
                                transferred_global_request_id().request_id);
 }
 
 RequestNavigationParams NavigationEntryImpl::ConstructRequestNavigationParams(
     const FrameNavigationEntry& frame_entry,
     bool is_same_document_history_load,
     bool is_history_navigation_in_new_child,
-    const std::set<std::string>& subframe_unique_names,
+    const std::map<std::string, bool>& subframe_unique_names,
     bool has_committed_real_load,
     bool intended_as_new_entry,
     int pending_history_list_offset,
     int current_history_list_offset,
     int current_history_list_length) const {
   // Set the redirect chain to the navigation's redirects, unless returning to a
   // completed navigation (whose previous redirects don't apply).
   std::vector<GURL> redirects;
   if (ui::PageTransitionIsNewNavigation(GetTransitionType())) {
     redirects = frame_entry.redirect_chain();
@@ skipping 142 matching lines @@
   parent_node->children.push_back(
       new NavigationEntryImpl::TreeNode(parent_node, frame_entry));
 }
 
 FrameNavigationEntry* NavigationEntryImpl::GetFrameEntry(
     FrameTreeNode* frame_tree_node) const {
   NavigationEntryImpl::TreeNode* tree_node = FindFrameEntry(frame_tree_node);
   return tree_node ? tree_node->frame_entry.get() : nullptr;
 }
 
-std::set<std::string> NavigationEntryImpl::GetSubframeUniqueNames(
+std::map<std::string, bool> NavigationEntryImpl::GetSubframeUniqueNames(
     FrameTreeNode* frame_tree_node) const {
-  std::set<std::string> names;
+  std::map<std::string, bool> names;
   NavigationEntryImpl::TreeNode* tree_node = FindFrameEntry(frame_tree_node);
   if (tree_node) {
     // Return the names of all immediate children.
-    for (TreeNode* child : tree_node->children)
-      names.insert(child->frame_entry->frame_unique_name());
+    for (TreeNode* child : tree_node->children) {
+      // Keep track of whether we would be loading about:blank, since the
+      // renderer should be allowed to just commit the initial blank frame if
+      // that was the default URL.  PageState doesn't matter there, because
+      // content injected into about:blank frames doesn't use it.
+      //
+      // Be careful not to include iframe srcdoc URLs in this check, which do
+      // need their PageState.  The committed URL in that case gets rewritten to
+      // about:blank, but we can detect it via the PageState's URL.
+      //
+      // See https://crbug.com/657896 for details.
+      bool is_about_blank = false;
+      ExplodedPageState exploded_page_state;
+      if (DecodePageState(child->frame_entry->page_state().ToEncodedData(),
+                          &exploded_page_state)) {
+        ExplodedFrameState frame_state = exploded_page_state.top;
+        if (UTF16ToUTF8(frame_state.url_string.string()) == url::kAboutBlankURL)
+          is_about_blank = true;
+      }
+
+      names[child->frame_entry->frame_unique_name()] = is_about_blank;
+    }
   }
   return names;
 }
 
 void NavigationEntryImpl::ClearStaleFrameEntriesForNewFrame(
     FrameTreeNode* frame_tree_node) {
   DCHECK(!frame_tree_node->IsMainFrame());
 
   NavigationEntryImpl::TreeNode* node = nullptr;
   std::queue<NavigationEntryImpl::TreeNode*> work_queue;
@@ skipping 51 matching lines @@
       return node;
 
     // Enqueue any children and keep looking.
     for (auto* child : node->children)
       work_queue.push(child);
   }
   return nullptr;
 }
 
 }  // namespace content