1 files changed, 28 insertions, 8 deletions

diff --git a/chromium/content/browser/security_exploit_browsertest.cc b/chromium/content/browser/security_exploit_browsertest.cc
index baf30825dbd..19ceb50ed0f 100644
--- a/chromium/content/browser/security_exploit_browsertest.cc
+++ b/chromium/content/browser/security_exploit_browsertest.cc
@@ -45,6 +45,7 @@
 #include "content/public/common/content_switches.h"
 #include "content/public/common/navigation_policy.h"
 #include "content/public/common/url_constants.h"
+#include "content/public/test/back_forward_cache_util.h"
 #include "content/public/test/browser_test.h"
 #include "content/public/test/browser_test_utils.h"
 #include "content/public/test/content_browser_test.h"
@@ -240,19 +241,19 @@ class DelayedFileChooserDelegate : public WebContentsDelegate {
 
   // WebContentsDelegate overrides
   void RunFileChooser(RenderFrameHost* render_frame_host,
-                      std::unique_ptr<FileSelectListener> listener,
+                      scoped_refptr<FileSelectListener> listener,
                       const blink::mojom::FileChooserParams& params) override {
     listener_ = std::move(listener);
   }
 
   void EnumerateDirectory(WebContents* web_contents,
-                          std::unique_ptr<FileSelectListener> listener,
+                          scoped_refptr<FileSelectListener> listener,
                           const base::FilePath& directory_path) override {
     listener->FileSelectionCanceled();
   }
 
  private:
-  std::unique_ptr<FileSelectListener> listener_;
+  scoped_refptr<FileSelectListener> listener_;
 };
 
 void FileChooserCallback(base::RunLoop* run_loop,
@@ -454,11 +455,11 @@ class CorsExploitBrowserTest : public ContentBrowserTest {
 };
 
 // This is a regression test for https://crbug.com/961614 - it makes sure that
-// the trustworthy |request_initiator_site_lock| takes precedent over
+// the trustworthy |request_initiator_origin_lock| takes precedent over
 // the untrustworthy |request.request_initiator|.
 //
 // For spoofing a |request.request_initiator| that doesn't match
-// |request_initiator_site_lock|, the test relies on a misfeature of HTML
+// |request_initiator_origin_lock|, the test relies on a misfeature of HTML
 // Imports.  It is unclear how to replicate such spoofing once HTML imports are
 // deprecated.
 IN_PROC_BROWSER_TEST_F(CorsExploitBrowserTest,
@@ -1183,10 +1184,26 @@ IN_PROC_BROWSER_TEST_F(SecurityExploitBrowserTest, DidCommitInvalidURL) {
   // platforms without site-per-process.
   IsolateOrigin("foo.com");
 
+  RenderFrameDeletedObserver initial_frame_deleted_observer(
+      shell()->web_contents()->GetMainFrame());
+
+  // Test assumes the initial RenderFrameHost to be deleted. Disable
+  // back-forward cache to ensure that it doesn't get preserved in the cache.
+  DisableBackForwardCacheForTesting(shell()->web_contents(),
+                                    BackForwardCache::TEST_ASSUMES_NO_CACHING);
+
   // Navigate to foo.com initially.
   GURL foo_url(embedded_test_server()->GetURL("foo.com", "/title1.html"));
   EXPECT_TRUE(NavigateToURL(shell(), foo_url));
 
+  // Wait for the RenderFrameHost which was current before the navigation to
+  // foo.com to be deleted. This is necessary, since on a slow system the
+  // UnloadACK event can arrive after the DidCommitUrlReplacer instance below
+  // is created. The replacer code has checks to ensure that all frames being
+  // deleted it has seen being created, which with delayed UnloadACK is
+  // violated.
+  initial_frame_deleted_observer.WaitUntilDeleted();
+
   // Create the interceptor object which will replace the URL of the subsequent
   // navigation with bar.com based URL.
   GURL bar_url(embedded_test_server()->GetURL("bar.com", "/title3.html"));
@@ -1374,11 +1391,12 @@ IN_PROC_BROWSER_TEST_F(SecurityExploitViaDisabledWebSecurityTest,
           mojom::NavigationType::DIFFERENT_DOCUMENT, NavigationDownloadPolicy(),
           false /* should_replace_current_entry */,
           file_url, /* base_url_for_data_url */
-          GURL() /* history_url_for_data_url */, PREVIEWS_UNSPECIFIED,
+          GURL() /* history_url_for_data_url */,
+          blink::PreviewsTypes::PREVIEWS_UNSPECIFIED,
           base::TimeTicks::Now() /* navigation_start */, "GET",
           nullptr /* post_data */, network::mojom::SourceLocation::New(),
           false /* started_from_context_menu */, false /* has_user_gesture */,
-          CreateInitiatorCSPInfo(),
+          false /* text_fragment_token */, CreateInitiatorCSPInfo(),
           std::vector<int>() /* initiator_origin_trial_features */,
           std::string() /* href_translate */,
           false /* is_history_navigation_in_new_child_frame */,
@@ -1398,7 +1416,9 @@ IN_PROC_BROWSER_TEST_F(SecurityExploitViaDisabledWebSecurityTest,
           GURL() /* client_side_redirect_url */,
           base::nullopt /* devtools_initiator_info */,
           false /* force_ignore_site_for_cookies */,
-          nullptr /* trust_token_params */, base::nullopt /* impression */);
+          nullptr /* trust_token_params */, base::nullopt /* impression */,
+          base::TimeTicks() /* renderer_before_unload_start */,
+          base::TimeTicks() /* renderer_before_unload_end */);
 
   // Receiving the invalid IPC message should lead to renderer process
   // termination.