Fix routing of frame messages after cross-origin navigation (fixes issue #2849)

When navigating cross-origin a speculative RenderFrameHost (RFH) and CefFrameHostImpl is created in the browser process for the new frame object created in a new renderer process. The FrameAttached message then arrives for the speculative RFH, and as a consequence interfaces are bound between the new CefFrameHostImpl and the speculative RFH. If the pending navigation commits then the existing RFH will be replaced with the previously speculative RFH. Since interfaces are already bound we must keep the new CefFrameHostImpl. This means that frame objects (including for the main frame) will now always change after cross-origin navigation, and the old frame object will be invalidated.
2025-06-05 21:39:12 +02:00 · 2021-05-18 20:45:05 -04:00
parent ebee84755e
commit d9efaee9b9
6 changed files with 34 additions and 22 deletions
--- a/libcef/browser/frame_host_impl.h
+++ b/libcef/browser/frame_host_impl.h
@ -41,7 +41,9 @@ class CefFrameHostImpl : public CefFrame, public cef::mojom::BrowserFrame {
  CefFrameHostImpl(scoped_refptr<CefBrowserInfo> browser_info,
                   content::RenderFrameHost* render_frame_host);

-  // Update an existing main frame object.
+  // Update an existing main frame object on creation or for same-origin
+  // navigations. A new CefFrameHostImpl will be created for cross-origin
+  // navigations.
  void SetRenderFrameHost(content::RenderFrameHost* host);

  ~CefFrameHostImpl() override;