Delete unneeded pending entries in DidFailProvisionalLoad to prevent a spoof.

content/browser/web_contents/web_contents_impl_browsertest.cc

 // Copyright 2013 The Chromium Authors. All rights reserved.
 // Use of this source code is governed by a BSD-style license that can be
 // found in the LICENSE file.
 
 #include "base/values.h"
 #include "content/browser/renderer_host/render_view_host_impl.h"
 #include "content/browser/web_contents/web_contents_impl.h"
 #include "content/public/browser/load_notification_details.h"
 #include "content/public/browser/navigation_controller.h"
 #include "content/public/browser/notification_details.h"
@@ skipping 167 matching lines @@
   NavigateOnCommitObserver commit_observer(
       shell(), embedded_test_server()->GetURL("/title2.html"));
   NavigateToURL(shell(), embedded_test_server()->GetURL("/title1.html"));
   load_observer.Wait();
 
   EXPECT_EQ("/title1.html", load_observer.url_.path());
   EXPECT_EQ(0, load_observer.session_index_);
   EXPECT_EQ(&shell()->web_contents()->GetController(),
             load_observer.controller_);
 }
+// Test that a renderer-initiated navigation to an invalid URL does not leave
+// around a pending entry that could be used in a URL spoof.  We test this in
+// a browser test because our unit test framework incorrectly calls
+// DidStartProvisionalLoadForFrame for in-page navigations.
+// See http://crbug.com/280512.
+IN_PROC_BROWSER_TEST_F(WebContentsImplBrowserTest,
+                       ClearNonVisiblePendingOnFail) {
+  ASSERT_TRUE(embedded_test_server()->InitializeAndWaitUntilReady());
+
+  NavigateToURL(shell(), embedded_test_server()->GetURL("/title1.html"));
+
+  // Navigate to an invalid URL and make sure it doesn't leave a pending entry.
+  LoadStopNotificationObserver load_observer1(
+      &shell()->web_contents()->GetController());
+  ASSERT_TRUE(ExecuteScript(shell()->web_contents(),
+                            "window.location.href=\"nonexistent:12121\";"));
+  load_observer1.Wait();
+  EXPECT_FALSE(shell()->web_contents()->GetController().GetPendingEntry());
+
+  LoadStopNotificationObserver load_observer2(
+      &shell()->web_contents()->GetController());
+  ASSERT_TRUE(ExecuteScript(shell()->web_contents(),
+                            "window.location.href=\"#foo\";"));
+  load_observer2.Wait();
+  EXPECT_EQ(embedded_test_server()->GetURL("/title1.html#foo"),
+            shell()->web_contents()->GetVisibleURL());
+}
 
 // Test that the browser receives the proper frame attach/detach messages from
 // the renderer and builds proper frame tree.
 IN_PROC_BROWSER_TEST_F(WebContentsImplBrowserTest, FrameTree) {
   ASSERT_TRUE(embedded_test_server()->InitializeAndWaitUntilReady());
 
   NavigateToURL(shell(),
                 embedded_test_server()->GetURL("/frame_tree/top.html"));
 
   WebContentsImpl* wc = static_cast<WebContentsImpl*>(shell()->web_contents());
@@ skipping 78 matching lines @@
   // RenderViewSizeObserver resizes WebContentsView in NavigateToPendingEntry,
   // so both WebContentsView and RenderWidgetHostView adopt this new size.
   new_size.Enlarge(size_insets.width(), size_insets.height());
   EXPECT_EQ(new_size,
             shell()->web_contents()->GetRenderWidgetHostView()->GetViewBounds().
                 size());
   EXPECT_EQ(new_size, shell()->web_contents()->GetView()->GetContainerSize());
 }
 
 }  // namespace content