UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3662.0 Safari/537.36

Steps to reproduce the problem:
We're observing the main page of usatoday.com reliably crashing on the latest Chrome Canary builds.

After reviewing a crash dump, it appears that a stack involving network::mojom::URLLoaderFactoryStubDispatch::Accept+ eventually hits content::BrowserMessageFilter::ShutdownForBadMessage which is in turn killing the renderer. The URL in the dump is about:srcdoc.

100% reproducible repro:
1. Load a page with this: <iframe src="about:srcdoc"></iframe> (or go to usatoday.com)

2. Result: crashes

What is the expected behavior?
Page doesn't crash.

What went wrong?
After reviewing the repro on various builds with bisect-builds.py, I received this output:

You are probably looking for a change made after 620151 (known good), but no later than 620159 (first known bad).
CHANGELOG URL:
  https://chromium.googlesource.com/chromium/src/+log/ad3c8c91a0d1d07a4e81dbc29beadfad382fcf3f..02f9f417506bc968be221423ffdc998c46803bc6

The commit labeled, "DocumentLoader: make srcdoc navigations async," looks directly related:
https://chromium.googlesource.com/chromium/src/+/4cd2ca13715b4d1c25c183be3e981ba26354121f
https://chromium-review.googlesource.com/c/chromium/src/+/1390259

Crashed report ID: 

How much crashed? Just one tab

Is it a problem with a plugin? No 

Did this work before? Yes 

Chrome version: 73.0.3662.0  Channel: n/a
OS Version: 10.0
Flash Version:
 

Deleted: test.html 109 bytes

test.html 109 bytes View Download