Require a process ID when looking up RFHs by FrameTreeNode ID.

content/public/browser/web_contents.h

Index: content/public/browser/web_contents.h
diff --git a/content/public/browser/web_contents.h b/content/public/browser/web_contents.h
index b4ac5c96864391a7ee595cda8f85ebe9f9d587f8..5cce1884fb5388669ba7e27bcaf5f683a727fca9 100644
--- a/content/public/browser/web_contents.h
+++ b/content/public/browser/web_contents.h
@@ -245,9 +245,21 @@ class WebContents : public PageNavigator,
   virtual RenderFrameHost* GetFocusedFrame() = 0;
 
   // Returns the current RenderFrameHost for a given FrameTreeNode ID if it is
-  // part of this tab. See RenderFrameHost::GetFrameTreeNodeId for documentation
-  // on this ID.
-  virtual RenderFrameHost* FindFrameByFrameTreeNodeId(
+  // part of this tab. Returns nullptr if |process_id| does not match the
+  // current RenderFrameHost's process ID, to avoid security bugs where callers
+  // do not realize a cross-process navigation (and thus privilege change) has
+  // taken place. See RenderFrameHost::GetFrameTreeNodeId for documentation on
+  // frame_tree_node_id.
+  virtual RenderFrameHost* FindFrameByFrameTreeNodeId(int frame_tree_node_id,
+                                                      int process_id) = 0;
+
+  // NOTE: This is generally unsafe to use. Use FindFrameByFrameTreeNodeId
+  // instead.
+  // Returns the current RenderFrameHost for a given FrameTreeNode ID if it is
+  // part of this tab. This may not match the caller's expectation, if a
+  // cross-process navigation (and thus privilege change) has taken place.
+  // See RenderFrameHost::GetFrameTreeNodeId for documentation on this ID.
+  virtual RenderFrameHost* UnsafeFindFrameByFrameTreeNodeId(
       int frame_tree_node_id) = 0;
 
   // Calls |on_frame| for each frame in the currently active view.