When determining whether or not to swap processes on navigation, check the top frame's URL.

Otherwise having an inner frame that matches the app's extent could mean that the process
is not swapped, even if we're not in an app process.

Difference from r94843 is that the popup window is 200x200, so that it results in a separate
Browser instance even on Chrome OS.

BUG=89272
TEST=no
R=creis@chromium.org

Review URL: http://codereview.chromium.org/7608015

git-svn-id: svn://svn.chromium.org/chrome/trunk/src@96197 0039d316-1c4b-4281-b951-d872f2087c98

1 files changed, 4 insertions, 3 deletions

diff --git a/chrome/renderer/chrome_content_renderer_client.cc b/chrome/renderer/chrome_content_renderer_client.cc
index 759388a..eb8a541 100644
--- a/chrome/renderer/chrome_content_renderer_client.cc
+++ b/chrome/renderer/chrome_content_renderer_client.cc
@@ -671,13 +671,14 @@ bool ChromeContentRendererClient::CrossesExtensionExtents(WebFrame* frame,
                                                           const GURL& new_url) {
   const ExtensionSet* extensions = extension_dispatcher_->extensions();
   // If the URL is still empty, this is a window.open navigation. Check the
-  // opener's URL.
+  // opener's URL. In all cases we use the top frame's URL (as opposed to our
+  // frame's) since that's what determines the type of process.
   // TODO(abarth): This code is super sketchy! Are you sure looking at the
   // opener is correct here?  This appears to let me steal my opener's
   // privileges if I can make my URL be "empty."
-  GURL old_url(frame->document().url());
+  GURL old_url(frame->top()->document().url());
   if (old_url.is_empty() && frame->opener())
-    old_url = frame->opener()->document().url();
+    old_url = frame->top()->opener()->top()->document().url();
 
   // If this is a reload, check whether it has the wrong process type.  We
   // should send it to the browser if it's an extension URL (e.g., hosted app)