Add check for mismatching item and document sequence numbers.
When a PageState update is received from the renderer process, it must
be for the current session history entry. This means that the sequence
numbers associated with the FrameNavigationEntry should match the ones
coming from the renderer process.
This CL adds a check for this case and drops the update if mismatch is
found.
BUG=628677
Review-Url: https://codereview.chromium.org/2196623003
Cr-Commit-Position: refs/heads/master@{#408698}
diff --git a/content/browser/web_contents/web_contents_impl.cc b/content/browser/web_contents/web_contents_impl.cc
index 2fa1abdb..e3d331ac 100644
--- a/content/browser/web_contents/web_contents_impl.cc
+++ b/content/browser/web_contents/web_contents_impl.cc
@@ -81,6 +81,7 @@
#include "content/common/input/web_input_event_traits.h"
#include "content/common/input_messages.h"
#include "content/common/page_messages.h"
+#include "content/common/page_state_serialization.h"
#include "content/common/site_isolation_policy.h"
#include "content/common/ssl_status_serialization.h"
#include "content/common/view_messages.h"
@@ -4534,6 +4535,22 @@
base::debug::DumpWithoutCrashing();
NOTREACHED() << "Shouldn't set an empty PageState.";
}
+
+ // The document_sequence_number and item_sequence_number recorded in the
+ // FrameNavigationEntry should not differ from the one coming with the update,
+ // since it must come from the same document. Do not update it if a difference
+ // is detected, as this indicates that |frame_entry| is not the correct one.
+ ExplodedPageState exploded_state;
+ if (!DecodePageState(page_state.ToEncodedData(), &exploded_state))
+ return;
+
+ if (exploded_state.top.document_sequence_number !=
+ frame_entry->document_sequence_number() ||
+ exploded_state.top.item_sequence_number !=
+ frame_entry->item_sequence_number()) {
+ return;
+ }
+
frame_entry->set_page_state(page_state);
controller_.NotifyEntryChanged(entry);
}
