Index: content/browser/web_contents/web_contents_impl.cc |
diff --git a/content/browser/web_contents/web_contents_impl.cc b/content/browser/web_contents/web_contents_impl.cc |
index 5917a44798b8a31a2a6bf619721b15d0cad3290e..8b9067bd4d9b6fd1ebb6f421536ba7d05d4b9209 100644 |
--- a/content/browser/web_contents/web_contents_impl.cc |
+++ b/content/browser/web_contents/web_contents_impl.cc |
@@ -2241,13 +2241,21 @@ void WebContentsImpl::DidFailProvisionalLoadWithError( |
return; |
} |
- // Do not clear the pending entry if one exists, so that the user's typed |
- // URL is not lost when a navigation fails or is aborted. We'll allow |
- // the view to clear the pending entry and typed URL if the user requests. |
- |
render_manager_.RendererAbortedProvisionalLoad(render_view_host); |
} |
+ // Do not usually clear the pending entry if one exists, so that the user's |
+ // typed URL is not lost when a navigation fails or is aborted. However, in |
+ // cases that we don't show the pending entry (e.g., renderer-initiated |
+ // navigations in an existing tab), we don't keep it around. That prevents |
+ // spoofs on in-page navigations that don't go through |
+ // DidStartProvisionalLoadForFrame. |
+ // In general, we allow the view to clear the pending entry and typed URL if |
+ // the user requests (e.g., hitting Escape with focus in the address bar). |
+ // Note: don't touch the transient entry, since an interstitial may exist. |
+ if (controller_.GetPendingEntry() != controller_.GetVisibleEntry()) |
+ controller_.DiscardPendingEntry(); |
+ |
FOR_EACH_OBSERVER(WebContentsObserver, |
observers_, |
DidFailProvisionalLoad(params.frame_id, |