Don't show the pending URL for chrome.tabs API navigations.

chrome/browser/extensions/api/tabs/tabs_api.cc

Index: chrome/browser/extensions/api/tabs/tabs_api.cc
diff --git a/chrome/browser/extensions/api/tabs/tabs_api.cc b/chrome/browser/extensions/api/tabs/tabs_api.cc
index 021df4b62ccce2a514dccb11a0e479d8fd8a07f1..be512f9f4fc13b16aadaf733c75650ece3823308 100644
--- a/chrome/browser/extensions/api/tabs/tabs_api.cc
+++ b/chrome/browser/extensions/api/tabs/tabs_api.cc
@@ -1320,13 +1320,21 @@ bool TabsUpdateFunction::UpdateURL(const std::string &url_string,
     return true;
   }
 
-  web_contents_->GetController().LoadURL(
-      url, content::Referrer(), ui::PAGE_TRANSITION_LINK, std::string());
+  // Load the URL, but treat it as renderer-initiated so that it does not show
+  // in the omnibox until it commits.  This avoids URL spoofs when the tabs API
+  // is used on behalf of untrusted content.
+  NavigationController::LoadURLParams load_params(url);
+  load_params.is_renderer_initiated = true;
+  web_contents_->GetController().LoadURLWithParams(load_params);
 
   // The URL of a tab contents never actually changes to a JavaScript URL, so
   // this check only makes sense in other cases.
-  if (!url.SchemeIs(url::kJavaScriptScheme))
-    DCHECK_EQ(url.spec(), web_contents_->GetURL().spec());
+  if (!url.SchemeIs(url::kJavaScriptScheme)) {
+    // The URL should be present in the pending entry, though it won't be
+    // visible in the omnibox until it commits.
+    DCHECK_EQ(
+        url, web_contents_->GetController().GetPendingEntry()->GetVirtualURL());
+  }
 
   return true;
 }