Require a process ID when looking up RFHs by FrameTreeNode ID.

content/public/browser/web_contents.h

Index: content/public/browser/web_contents.h
diff --git a/content/public/browser/web_contents.h b/content/public/browser/web_contents.h
index b4ac5c96864391a7ee595cda8f85ebe9f9d587f8..14c614c765bb744d29a5c18920dbf5a692e0746e 100644
--- a/content/public/browser/web_contents.h
+++ b/content/public/browser/web_contents.h
@@ -245,9 +245,22 @@ class WebContents : public PageNavigator,
   virtual RenderFrameHost* GetFocusedFrame() = 0;
 
   // Returns the current RenderFrameHost for a given FrameTreeNode ID if it is
-  // part of this tab. See RenderFrameHost::GetFrameTreeNodeId for documentation
-  // on this ID.
-  virtual RenderFrameHost* FindFrameByFrameTreeNodeId(
+  // part of this frame tree, not including frames in any inner WebContents.
+  // Returns nullptr if |process_id| does not match the current
+  // RenderFrameHost's process ID, to avoid security bugs where callers do not
+  // realize a cross-process navigation (and thus privilege change) has taken
+  // place. See RenderFrameHost::GetFrameTreeNodeId for documentation on
+  // frame_tree_node_id.
+  virtual RenderFrameHost* FindFrameByFrameTreeNodeId(int frame_tree_node_id,
+                                                      int process_id) = 0;
+
+  // NOTE: This is generally unsafe to use. Use FindFrameByFrameTreeNodeId
+  // instead.
+  // Returns the current RenderFrameHost for a given FrameTreeNode ID if it is
+  // part of this frame tree. This may not match the caller's expectation, if a
+  // cross-process navigation (and thus privilege change) has taken place.
+  // See RenderFrameHost::GetFrameTreeNodeId for documentation on this ID.
+  virtual RenderFrameHost* UnsafeFindFrameByFrameTreeNodeId(
       int frame_tree_node_id) = 0;
 
   // Calls |on_frame| for each frame in the currently active view.