Chrome Version: 55.0.2883.75, 57.0.2939.0
OS: All

What steps will reproduce the problem?
(1) Visit http://csreis.github.io/tests/inject-into-blank-fragment-frame.html
(2) Visit http://csreis.github.io/tests/
(3) Go back.

What is the expected result?
You should see "This content was injected on page load" in the iframe after going back.

What happens instead?
The iframe is blank.

This is similar to issue 626416 and  issue 657896 , but I'm not aware of any real pages this affects yet.  Other browsers are also inconsistent: Firefox won't allow the content injection even on new page loads, Safari won't allow injection if there's a fragment on about:blank, and Edge doesn't support fragments on about:blank.  Still, it's inconsistent with how Chrome used to behave, before turning on the new navigation logic in r410150.

We came across it while reviewing https://codereview.chromium.org/2534393003/, when the fast/history/history-length-append-subframe-with-hash.html layout test (from  issue 353096 ) started failing.

The problem is that our session history logic for loading about:blank synchronously on back/forward/restore doesn't handle the fragment case well.  We currently exclude about:blank/#foo, which makes us load it asynchronously, and break cases that the parent synchronously injects content.  If we were to load it synchronously, though, it would lose the fragment and break the layout test.

It's likely that finishing issue 639842 and sending a subtree of PageStates will fix this bug.