In some cases we can encounter races where a resource completion callback is delivered for a previously committed page. For example:
page A commits
navigation for page B is initiated
page A initiates a resource request (perhaps in the beforeunload handler)
page B commits
resource request from A completes
In this case, depending on whether the RFHs for page A have been cleaned up yet in the browser process, the resource request for A may be delivered and attributed to page B.
We should guard against this. We can verify that the resource's RFH matches the currently committed load's RFH to catch cross-origin cases.
Comment 1 by bugdroid1@chromium.org
, Jul 7 2017