Index: chrome/browser/extensions/api/tabs/tabs_api.cc |
diff --git a/chrome/browser/extensions/api/tabs/tabs_api.cc b/chrome/browser/extensions/api/tabs/tabs_api.cc |
index 021df4b62ccce2a514dccb11a0e479d8fd8a07f1..be512f9f4fc13b16aadaf733c75650ece3823308 100644 |
--- a/chrome/browser/extensions/api/tabs/tabs_api.cc |
+++ b/chrome/browser/extensions/api/tabs/tabs_api.cc |
@@ -1320,13 +1320,21 @@ bool TabsUpdateFunction::UpdateURL(const std::string &url_string, |
return true; |
} |
- web_contents_->GetController().LoadURL( |
- url, content::Referrer(), ui::PAGE_TRANSITION_LINK, std::string()); |
+ // Load the URL, but treat it as renderer-initiated so that it does not show |
+ // in the omnibox until it commits. This avoids URL spoofs when the tabs API |
+ // is used on behalf of untrusted content. |
+ NavigationController::LoadURLParams load_params(url); |
+ load_params.is_renderer_initiated = true; |
+ web_contents_->GetController().LoadURLWithParams(load_params); |
// The URL of a tab contents never actually changes to a JavaScript URL, so |
// this check only makes sense in other cases. |
- if (!url.SchemeIs(url::kJavaScriptScheme)) |
- DCHECK_EQ(url.spec(), web_contents_->GetURL().spec()); |
+ if (!url.SchemeIs(url::kJavaScriptScheme)) { |
+ // The URL should be present in the pending entry, though it won't be |
+ // visible in the omnibox until it commits. |
+ DCHECK_EQ( |
+ url, web_contents_->GetController().GetPendingEntry()->GetVirtualURL()); |
+ } |
return true; |
} |