Send a subtree of same-process PageStates for back/forward child frames.

content/browser/frame_host/render_frame_host_impl.cc

Index: content/browser/frame_host/render_frame_host_impl.cc
diff --git a/content/browser/frame_host/render_frame_host_impl.cc b/content/browser/frame_host/render_frame_host_impl.cc
index c8d66dc67f8bb41762bb38acbeee63283063152a..84257f9ed276183e0babf56cae3f1f4255fb15fe 100644
--- a/content/browser/frame_host/render_frame_host_impl.cc
+++ b/content/browser/frame_host/render_frame_host_impl.cc
@@ -3087,9 +3087,15 @@ void RenderFrameHostImpl::UpdatePermissionsForNavigation(
   // access again.  Abuse is prevented, because the files listed in the page
   // state are validated earlier, when they are received from the renderer (in
   // RenderFrameHostImpl::CanAccessFilesOfPageState).
-  if (request_params.page_state.IsValid())
+  if (request_params.page_state.IsValid()) {
     GrantFileAccessFromPageState(request_params.page_state);
 
+    // Iterate over the subtree of PageStates as well, since the renderer will
+    // attempt to load each of these without asking the browser process.
+    for (const auto& iter : request_params.subtree_page_states)
+      GrantFileAccessFromPageState(iter.second);
+  }
+
   // We may be here after transferring navigation to a different renderer
   // process.  In this case, we need to ensure that the new renderer retains
   // ability to access files that the old renderer could access.  Abuse is