Incoming interface requests from a render frame can race with navigation, such that the interface binder can't possibly know the request originated from the frame's previous navigation state, which may be an entirely different security origin.

We should at least rebind the RF's InterfaceProvider on navigation to ensure that incoming interface requests in RFH are only ever dispatched for the currently-committed navigation's document.

This work was previously deferred due to a lack of sane browser+renderer infrastructure to support congruity between frame- and document-scope, but since there has been at least one actual security bug resulting from this ( issue 736357 ) it should be addressed ASAP.