Drop CreateChildFrame messages when swapping out.

content/browser/frame_host/frame_tree.cc

Index: content/browser/frame_host/frame_tree.cc
diff --git a/content/browser/frame_host/frame_tree.cc b/content/browser/frame_host/frame_tree.cc
index 7a17f1c1041352996ae4ac2f4ea69487fe4db767..1bc0cf5b230e8144b5ab8a80e110ab0510b32268 100644
--- a/content/browser/frame_host/frame_tree.cc
+++ b/content/browser/frame_host/frame_tree.cc
@@ -143,8 +143,16 @@ void FrameTree::ForEach(
 }
 
 RenderFrameHostImpl* FrameTree::AddFrame(FrameTreeNode* parent,
+                                         int process_id,
                                          int new_routing_id,
                                          const std::string& frame_name) {
+  // A child frame always starts with an initial empty document, which means
+  // it is in the same SiteInstance as the parent frame. Ensure that the process
+  // which requested a child frame to be added is the same as the process of the
+  // parent node.
+  if (parent->current_frame_host()->GetProcess()->GetID() != process_id)
+    return nullptr;
+
   scoped_ptr<FrameTreeNode> node(new FrameTreeNode(
       this, parent->navigator(), render_frame_delegate_, render_view_delegate_,
       render_widget_delegate_, manager_delegate_, frame_name));
@@ -154,7 +162,7 @@ RenderFrameHostImpl* FrameTree::AddFrame(FrameTreeNode* parent,
   CHECK(result.second);
   FrameTreeNode* node_ptr = node.get();
   // AddChild is what creates the RenderFrameHost.
-  parent->AddChild(node.Pass(), new_routing_id);
+  parent->AddChild(node.Pass(), process_id, new_routing_id);
   return node_ptr->current_frame_host();
 }