Index: third_party/WebKit/Source/core/html/HTMLFrameElementBase.cpp |
diff --git a/third_party/WebKit/Source/core/html/HTMLFrameElementBase.cpp b/third_party/WebKit/Source/core/html/HTMLFrameElementBase.cpp |
index eb81d639c4de017fbb4adf4c46265078a85c0f43..723915b680ee339c1e492a8c9135b7fcadbd2323 100644 |
--- a/third_party/WebKit/Source/core/html/HTMLFrameElementBase.cpp |
+++ b/third_party/WebKit/Source/core/html/HTMLFrameElementBase.cpp |
@@ -38,6 +38,7 @@ |
#include "core/loader/FrameLoaderClient.h" |
#include "core/page/FocusController.h" |
#include "core/page/Page.h" |
+#include "wtf/Assertions.h" |
namespace blink { |
@@ -187,6 +188,10 @@ void HTMLFrameElementBase::didNotifySubtreeInsertionsToDocument() { |
if (!SubframeLoadingDisabler::canLoadFrame(*this)) |
return; |
+ // If there's a content frame already attached, the DOM is already in an |
+ // inconsistent state. It's dangerous to continue, so just abort. |
+ SECURITY_CHECK(!contentFrame()); |
+ |
setNameAndOpenURL(); |
} |