Worth noting is that it's not an iframe crash, but a crash in the main process; i.e., there's no oopif here.

debugged a repro. url comes in as about:srcdoc, so this may be an issue of the renderer needing to send the origin rather  than the url. if so blob and filesystem may also be affected

This also seems to happen with an about:blank iframe and an injected <input>.  But seems to work fine with data: and blob: URLs.

While I could not reproduce on about:blank, I could reproduce on the originally reported example.com.

I see ChildProcessSecurityPolicyImpl::SecurityState::CanAccessDataForOrigin return false after seeing origin_lock_=="http://example.com/" and site_gurl=="about:". This leads to the failed bad message check and renderer kill. I have no idea what the method does, though.

nick@, do you know?

Marking "Polish" because the effect of this bug is user-visible (and also to get it out of the triaging queue for passwords).

Seems to work fine on 64.0.3245.0 (GNU/Linux). There is no longer the "Out of process iframes" flag, but I assume this is now the default behaviour? If not, please reopen and try to specify the URL of the flag to use. Thanks!

The about:flags feature for --site-per-process changed names from "Out of process iframes" to "Strict site isolation" and it's still experimental, but I agree this doesn't repro anymore when it's enabled.  (We're just finishing up a week long trial of having that enabled for a percentage of Canary, FWIW.)

I think it was likely fixed by alexmos@ in r503339 for issue 756587.