diff options
| author | avi <avi@chromium.org> | 2015-05-28 10:50:23 -0700 |
|---|---|---|
| committer | Commit bot <commit-bot@chromium.org> | 2015-05-28 17:50:43 +0000 |
| commit | 3a5b8f3edd86e6fa3a996e6d993732f2b189c832 (patch) | |
| tree | 28feced0fc6cf4274dcbd16b41aabcb45579ccde | |
| parent | a222c079f0205fc7276a490dcfe5b33873be217f (diff) | |
| download | chromium_src-3a5b8f3edd86e6fa3a996e6d993732f2b189c832.zip chromium_src-3a5b8f3edd86e6fa3a996e6d993732f2b189c832.tar.gz chromium_src-3a5b8f3edd86e6fa3a996e6d993732f2b189c832.tar.bz2 | |
Do an origin check if the renderer claims a renderer-initiated navigation was in-page.
BUG=369661
TEST=none
Review URL: https://codereview.chromium.org/1156113009
Cr-Commit-Position: refs/heads/master@{#331816}
| -rw-r--r-- | content/browser/frame_host/navigation_controller_impl.cc | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/content/browser/frame_host/navigation_controller_impl.cc b/content/browser/frame_host/navigation_controller_impl.cc index 5ee44552..34c05fb 100644 --- a/content/browser/frame_host/navigation_controller_impl.cc +++ b/content/browser/frame_host/navigation_controller_impl.cc @@ -1144,10 +1144,12 @@ NavigationType NavigationControllerImpl::ClassifyNavigationWithoutPageID( // Just like above in the did_create_new_entry case, it's possible to // scribble onto an uncommitted page. Again, there isn't any navigation // stuff that we can do, so ignore it here as well. - if (!GetLastCommittedEntry()) + NavigationEntry* last_committed = GetLastCommittedEntry(); + if (!last_committed) return NAVIGATION_TYPE_NAV_IGNORE; - if (params.was_within_same_page) { + if (AreURLsInPageNavigation(last_committed->GetURL(), params.url, + params.was_within_same_page, rfh)) { // This is history.replaceState(), which is renderer-initiated yet within // the same page. return NAVIGATION_TYPE_IN_PAGE; |