Upstream version 5.34.104.0

[platform/framework/web/crosswalk.git] / src / content / renderer / render_frame_impl.cc

diff --git a/src/content/renderer/render_frame_impl.cc b/src/content/renderer/render_frame_impl.cc
index 975d307..a2b838a 100644 (file)
--- a/src/content/renderer/render_frame_impl.cc
+++ b/src/content/renderer/render_frame_impl.cc
@@ -11,6 +11,9 @@
 #include "base/debug/alias.h"
 #include "base/debug/dump_without_crashing.h"
 #include "base/i18n/char_iterator.h"
+#include "base/metrics/histogram.h"
+#include "base/process/kill.h"
+#include "base/process/process.h"
 #include "base/strings/utf_string_conversions.h"
 #include "base/time/time.h"
 #include "content/child/appcache/appcache_dispatcher.h"
@@ -24,15 +27,20 @@
 #include "content/common/view_messages.h"
 #include "content/public/common/content_constants.h"
 #include "content/public/common/content_switches.h"
+#include "content/public/common/context_menu_params.h"
 #include "content/public/common/url_constants.h"
+#include "content/public/common/url_utils.h"
 #include "content/public/renderer/content_renderer_client.h"
+#include "content/public/renderer/context_menu_client.h"
 #include "content/public/renderer/document_state.h"
+#include "content/public/renderer/history_item_serialization.h"
 #include "content/public/renderer/navigation_state.h"
 #include "content/public/renderer/render_frame_observer.h"
 #include "content/renderer/accessibility/renderer_accessibility.h"
 #include "content/renderer/browser_plugin/browser_plugin.h"
 #include "content/renderer/browser_plugin/browser_plugin_manager.h"
 #include "content/renderer/child_frame_compositing_helper.h"
+#include "content/renderer/context_menu_params_builder.h"
 #include "content/renderer/internal_document_state_data.h"
 #include "content/renderer/npapi/plugin_channel_host.h"
 #include "content/renderer/render_thread_impl.h"
@@ -41,6 +49,7 @@
 #include "content/renderer/renderer_webapplicationcachehost_impl.h"
 #include "content/renderer/shared_worker_repository.h"
 #include "content/renderer/websharedworker_proxy.h"
+#include "net/base/data_url.h"
 #include "net/base/net_errors.h"
 #include "net/http/http_util.h"
 #include "third_party/WebKit/public/platform/WebStorageQuotaCallbacks.h"
@@ -51,11 +60,13 @@
 #include "third_party/WebKit/public/platform/WebVector.h"
 #include "third_party/WebKit/public/web/WebDocument.h"
 #include "third_party/WebKit/public/web/WebFrame.h"
+#include "third_party/WebKit/public/web/WebGlyphCache.h"
 #include "third_party/WebKit/public/web/WebNavigationPolicy.h"
 #include "third_party/WebKit/public/web/WebPlugin.h"
 #include "third_party/WebKit/public/web/WebPluginParams.h"
 #include "third_party/WebKit/public/web/WebSearchableFormData.h"
 #include "third_party/WebKit/public/web/WebSecurityOrigin.h"
+#include "third_party/WebKit/public/web/WebSecurityPolicy.h"
 #include "third_party/WebKit/public/web/WebUserGestureIndicator.h"
 #include "third_party/WebKit/public/web/WebView.h"
 #include "webkit/child/weburlresponse_extradata_impl.h"
@@ -72,14 +83,19 @@
 #include "content/renderer/media/rtc_peer_connection_handler.h"
 #endif
 
+using blink::WebContextMenuData;
+using blink::WebData;
 using blink::WebDataSource;
 using blink::WebDocument;
 using blink::WebFrame;
+using blink::WebHistoryItem;
+using blink::WebHTTPBody;
 using blink::WebNavigationPolicy;
 using blink::WebPluginParams;
 using blink::WebReferrerPolicy;
 using blink::WebSearchableFormData;
 using blink::WebSecurityOrigin;
+using blink::WebSecurityPolicy;
 using blink::WebServiceWorkerProvider;
 using blink::WebStorageQuotaCallbacks;
 using blink::WebString;
@@ -101,6 +117,97 @@ namespace {
 typedef std::map<blink::WebFrame*, RenderFrameImpl*> FrameMap;
 base::LazyInstance<FrameMap> g_frame_map = LAZY_INSTANCE_INITIALIZER;
 
+int64 ExtractPostId(const WebHistoryItem& item) {
+  if (item.isNull())
+    return -1;
+
+  if (item.httpBody().isNull())
+    return -1;
+
+  return item.httpBody().identifier();
+}
+
+WebURLResponseExtraDataImpl* GetExtraDataFromResponse(
+    const WebURLResponse& response) {
+  return static_cast<WebURLResponseExtraDataImpl*>(
+      response.extraData());
+}
+
+void GetRedirectChain(WebDataSource* ds, std::vector<GURL>* result) {
+  // Replace any occurrences of swappedout:// with about:blank.
+  const WebURL& blank_url = GURL(kAboutBlankURL);
+  WebVector<WebURL> urls;
+  ds->redirectChain(urls);
+  result->reserve(urls.size());
+  for (size_t i = 0; i < urls.size(); ++i) {
+    if (urls[i] != GURL(kSwappedOutURL))
+      result->push_back(urls[i]);
+    else
+      result->push_back(blank_url);
+  }
+}
+
+NOINLINE static void CrashIntentionally() {
+  // NOTE(shess): Crash directly rather than using NOTREACHED() so
+  // that the signature is easier to triage in crash reports.
+  volatile int* zero = NULL;
+  *zero = 0;
+}
+
+#if defined(ADDRESS_SANITIZER)
+NOINLINE static void MaybeTriggerAsanError(const GURL& url) {
+  // NOTE(rogerm): We intentionally perform an invalid heap access here in
+  //     order to trigger an Address Sanitizer (ASAN) error report.
+  static const char kCrashDomain[] = "crash";
+  static const char kHeapOverflow[] = "/heap-overflow";
+  static const char kHeapUnderflow[] = "/heap-underflow";
+  static const char kUseAfterFree[] = "/use-after-free";
+  static const int kArraySize = 5;
+
+  if (!url.DomainIs(kCrashDomain, sizeof(kCrashDomain) - 1))
+    return;
+
+  if (!url.has_path())
+    return;
+
+  scoped_ptr<int[]> array(new int[kArraySize]);
+  std::string crash_type(url.path());
+  int dummy = 0;
+  if (crash_type == kHeapOverflow) {
+    dummy = array[kArraySize];
+  } else if (crash_type == kHeapUnderflow ) {
+    dummy = array[-1];
+  } else if (crash_type == kUseAfterFree) {
+    int* dangling = array.get();
+    array.reset();
+    dummy = dangling[kArraySize / 2];
+  }
+
+  // Make sure the assignments to the dummy value aren't optimized away.
+  base::debug::Alias(&dummy);
+}
+#endif  // ADDRESS_SANITIZER
+
+static void MaybeHandleDebugURL(const GURL& url) {
+  if (!url.SchemeIs(kChromeUIScheme))
+    return;
+  if (url == GURL(kChromeUICrashURL)) {
+    CrashIntentionally();
+  } else if (url == GURL(kChromeUIKillURL)) {
+    base::KillProcess(base::GetCurrentProcessHandle(), 1, false);
+  } else if (url == GURL(kChromeUIHangURL)) {
+    for (;;) {
+      base::PlatformThread::Sleep(base::TimeDelta::FromSeconds(1));
+    }
+  } else if (url == GURL(kChromeUIShorthangURL)) {
+    base::PlatformThread::Sleep(base::TimeDelta::FromSeconds(20));
+  }
+
+#if defined(ADDRESS_SANITIZER)
+  MaybeTriggerAsanError(url);
+#endif  // ADDRESS_SANITIZER
+}
+
 }  // namespace
 
 static RenderFrameImpl* (*g_create_render_frame_impl)(RenderViewImpl*, int32) =
@@ -153,13 +260,6 @@ RenderFrameImpl::~RenderFrameImpl() {
   RenderThread::Get()->RemoveRoute(routing_id_);
 }
 
-// TODO(nasko): Overload the delete operator to overwrite the freed
-// RenderFrameImpl object and help detect potential use-after-free bug.
-// See https://crbug.com/245126#c34.
-void RenderFrameImpl::operator delete(void* ptr) {
-  memset(ptr, 0xAF, sizeof(RenderFrameImpl));
-}
-
 void RenderFrameImpl::SetWebFrame(blink::WebFrame* web_frame) {
   DCHECK(!frame_);
 
@@ -387,10 +487,15 @@ bool RenderFrameImpl::OnMessageReceived(const IPC::Message& msg) {
   bool handled = true;
   bool msg_is_ok = true;
   IPC_BEGIN_MESSAGE_MAP_EX(RenderFrameImpl, msg, msg_is_ok)
+    IPC_MESSAGE_HANDLER(FrameMsg_Navigate, OnNavigate)
     IPC_MESSAGE_HANDLER(FrameMsg_SwapOut, OnSwapOut)
     IPC_MESSAGE_HANDLER(FrameMsg_BuffersSwapped, OnBuffersSwapped)
     IPC_MESSAGE_HANDLER_GENERIC(FrameMsg_CompositorFrameSwapped,
                                 OnCompositorFrameSwapped(msg))
+    IPC_MESSAGE_HANDLER(FrameMsg_ChildFrameProcessGone, OnChildFrameProcessGone)
+    IPC_MESSAGE_HANDLER(FrameMsg_ContextMenuClosed, OnContextMenuClosed)
+    IPC_MESSAGE_HANDLER(FrameMsg_CustomContextMenuAction,
+                        OnCustomContextMenuAction)
   IPC_END_MESSAGE_MAP_EX()
 
   if (!msg_is_ok) {
@@ -400,7 +505,189 @@ bool RenderFrameImpl::OnMessageReceived(const IPC::Message& msg) {
   }
 
   return handled;
- }
+}
+
+void RenderFrameImpl::OnNavigate(const FrameMsg_Navigate_Params& params) {
+  MaybeHandleDebugURL(params.url);
+  if (!render_view_->webview())
+    return;
+
+  render_view_->OnNavigate(params);
+
+  bool is_reload = RenderViewImpl::IsReload(params);
+  WebURLRequest::CachePolicy cache_policy =
+      WebURLRequest::UseProtocolCachePolicy;
+
+  // If this is a stale back/forward (due to a recent navigation the browser
+  // didn't know about), ignore it.
+  if (render_view_->IsBackForwardToStaleEntry(params, is_reload))
+    return;
+
+  // Swap this renderer back in if necessary.
+  if (render_view_->is_swapped_out_) {
+    // We marked the view as hidden when swapping the view out, so be sure to
+    // reset the visibility state before navigating to the new URL.
+    render_view_->webview()->setVisibilityState(
+        render_view_->visibilityState(), false);
+
+    // If this is an attempt to reload while we are swapped out, we should not
+    // reload swappedout://, but the previous page, which is stored in
+    // params.state.  Setting is_reload to false will treat this like a back
+    // navigation to accomplish that.
+    is_reload = false;
+    cache_policy = WebURLRequest::ReloadIgnoringCacheData;
+
+    // We refresh timezone when a view is swapped in since timezone
+    // can get out of sync when the system timezone is updated while
+    // the view is swapped out.
+    RenderViewImpl::NotifyTimezoneChange(render_view_->webview()->mainFrame());
+
+    render_view_->SetSwappedOut(false);
+    is_swapped_out_ = false;
+  }
+
+  if (params.should_clear_history_list) {
+    CHECK_EQ(params.pending_history_list_offset, -1);
+    CHECK_EQ(params.current_history_list_offset, -1);
+    CHECK_EQ(params.current_history_list_length, 0);
+  }
+  render_view_->history_list_offset_ = params.current_history_list_offset;
+  render_view_->history_list_length_ = params.current_history_list_length;
+  if (render_view_->history_list_length_ >= 0) {
+    render_view_->history_page_ids_.resize(
+        render_view_->history_list_length_, -1);
+  }
+  if (params.pending_history_list_offset >= 0 &&
+      params.pending_history_list_offset < render_view_->history_list_length_) {
+    render_view_->history_page_ids_[params.pending_history_list_offset] =
+        params.page_id;
+  }
+
+  GetContentClient()->SetActiveURL(params.url);
+
+  WebFrame* frame = frame_;
+  if (!params.frame_to_navigate.empty()) {
+    // TODO(nasko): Move this lookup to the browser process.
+    frame = render_view_->webview()->findFrameByName(
+        WebString::fromUTF8(params.frame_to_navigate));
+    CHECK(frame) << "Invalid frame name passed: " << params.frame_to_navigate;
+  }
+
+  if (is_reload && frame->currentHistoryItem().isNull()) {
+    // We cannot reload if we do not have any history state.  This happens, for
+    // example, when recovering from a crash.
+    is_reload = false;
+    cache_policy = WebURLRequest::ReloadIgnoringCacheData;
+  }
+
+  render_view_->pending_navigation_params_.reset(
+      new FrameMsg_Navigate_Params(params));
+
+  // If we are reloading, then WebKit will use the history state of the current
+  // page, so we should just ignore any given history state.  Otherwise, if we
+  // have history state, then we need to navigate to it, which corresponds to a
+  // back/forward navigation event.
+  if (is_reload) {
+    bool reload_original_url =
+        (params.navigation_type ==
+            FrameMsg_Navigate_Type::RELOAD_ORIGINAL_REQUEST_URL);
+    bool ignore_cache = (params.navigation_type ==
+                             FrameMsg_Navigate_Type::RELOAD_IGNORING_CACHE);
+
+    if (reload_original_url)
+      frame->reloadWithOverrideURL(params.url, true);
+    else
+      frame->reload(ignore_cache);
+  } else if (params.page_state.IsValid()) {
+    // We must know the page ID of the page we are navigating back to.
+    DCHECK_NE(params.page_id, -1);
+    WebHistoryItem item = PageStateToHistoryItem(params.page_state);
+    if (!item.isNull()) {
+      // Ensure we didn't save the swapped out URL in UpdateState, since the
+      // browser should never be telling us to navigate to swappedout://.
+      CHECK(item.urlString() != WebString::fromUTF8(kSwappedOutURL));
+      frame->loadHistoryItem(item, cache_policy);
+    }
+  } else if (!params.base_url_for_data_url.is_empty()) {
+    // A loadData request with a specified base URL.
+    std::string mime_type, charset, data;
+    if (net::DataURL::Parse(params.url, &mime_type, &charset, &data)) {
+      frame->loadData(
+          WebData(data.c_str(), data.length()),
+          WebString::fromUTF8(mime_type),
+          WebString::fromUTF8(charset),
+          params.base_url_for_data_url,
+          params.history_url_for_data_url,
+          false);
+    } else {
+      CHECK(false) <<
+          "Invalid URL passed: " << params.url.possibly_invalid_spec();
+    }
+  } else {
+    // Navigate to the given URL.
+    WebURLRequest request(params.url);
+
+    // A session history navigation should have been accompanied by state.
+    CHECK_EQ(params.page_id, -1);
+
+    if (frame->isViewSourceModeEnabled())
+      request.setCachePolicy(WebURLRequest::ReturnCacheDataElseLoad);
+
+    if (params.referrer.url.is_valid()) {
+      WebString referrer = WebSecurityPolicy::generateReferrerHeader(
+          params.referrer.policy,
+          params.url,
+          WebString::fromUTF8(params.referrer.url.spec()));
+      if (!referrer.isEmpty())
+        request.setHTTPReferrer(referrer, params.referrer.policy);
+    }
+
+    if (!params.extra_headers.empty()) {
+      for (net::HttpUtil::HeadersIterator i(params.extra_headers.begin(),
+                                            params.extra_headers.end(), "\n");
+           i.GetNext(); ) {
+        request.addHTTPHeaderField(WebString::fromUTF8(i.name()),
+                                   WebString::fromUTF8(i.values()));
+      }
+    }
+
+    if (params.is_post) {
+      request.setHTTPMethod(WebString::fromUTF8("POST"));
+
+      // Set post data.
+      WebHTTPBody http_body;
+      http_body.initialize();
+      const char* data = NULL;
+      if (params.browser_initiated_post_data.size()) {
+        data = reinterpret_cast<const char*>(
+            &params.browser_initiated_post_data.front());
+      }
+      http_body.appendData(
+          WebData(data, params.browser_initiated_post_data.size()));
+      request.setHTTPBody(http_body);
+    }
+
+    frame->loadRequest(request);
+
+    // If this is a cross-process navigation, the browser process will send
+    // along the proper navigation start value.
+    if (!params.browser_navigation_start.is_null() &&
+        frame->provisionalDataSource()) {
+      // browser_navigation_start is likely before this process existed, so we
+      // can't use InterProcessTimeTicksConverter. Instead, the best we can do
+      // is just ensure we don't report a bogus value in the future.
+      base::TimeTicks navigation_start = std::min(
+          base::TimeTicks::Now(), params.browser_navigation_start);
+      double navigation_start_seconds =
+          (navigation_start - base::TimeTicks()).InSecondsF();
+      frame->provisionalDataSource()->setNavigationStartTime(
+          navigation_start_seconds);
+    }
+  }
+
+  // In case LoadRequest failed before DidCreateDataSource was called.
+  render_view_->pending_navigation_params_.reset();
+}
 
 void RenderFrameImpl::OnSwapOut() {
   // Only run unload if we're not swapped out yet, but send the ack either way.
@@ -449,7 +736,7 @@ void RenderFrameImpl::OnBuffersSwapped(
   }
   compositing_helper_->OnBuffersSwapped(
       params.size,
-      params.mailbox_name,
+      params.mailbox,
       params.gpu_route_id,
       params.gpu_host_id,
       render_view_->GetWebView()->deviceScaleFactor());
@@ -474,6 +761,56 @@ void RenderFrameImpl::OnCompositorFrameSwapped(const IPC::Message& message) {
                                                 param.a.producing_host_id);
 }
 
+void RenderFrameImpl::OnContextMenuClosed(
+    const CustomContextMenuContext& custom_context) {
+  if (custom_context.request_id) {
+    // External request, should be in our map.
+    ContextMenuClient* client =
+        pending_context_menus_.Lookup(custom_context.request_id);
+    if (client) {
+      client->OnMenuClosed(custom_context.request_id);
+      pending_context_menus_.Remove(custom_context.request_id);
+    }
+  } else {
+    // Internal request, forward to WebKit.
+    render_view_->context_menu_node_.reset();
+  }
+}
+
+void RenderFrameImpl::OnCustomContextMenuAction(
+    const CustomContextMenuContext& custom_context,
+    unsigned action) {
+  if (custom_context.request_id) {
+    // External context menu request, look in our map.
+    ContextMenuClient* client =
+        pending_context_menus_.Lookup(custom_context.request_id);
+    if (client)
+      client->OnMenuAction(custom_context.request_id, action);
+  } else {
+    // Internal request, forward to WebKit.
+    render_view_->webview()->performCustomContextMenuAction(action);
+  }
+}
+
+bool RenderFrameImpl::ShouldUpdateSelectionTextFromContextMenuParams(
+    const base::string16& selection_text,
+    size_t selection_text_offset,
+    const gfx::Range& selection_range,
+    const ContextMenuParams& params) {
+  base::string16 trimmed_selection_text;
+  if (!selection_text.empty() && !selection_range.is_empty()) {
+    const int start = selection_range.GetMin() - selection_text_offset;
+    const size_t length = selection_range.length();
+    if (start >= 0 && start + length <= selection_text.length()) {
+      TrimWhitespace(selection_text.substr(start, length), TRIM_ALL,
+                     &trimmed_selection_text);
+    }
+  }
+  base::string16 trimmed_params_text;
+  TrimWhitespace(params.selection_text, TRIM_ALL, &trimmed_params_text);
+  return trimmed_params_text != trimmed_selection_text;
+}
+
 void RenderFrameImpl::DidCommitCompositorFrame() {
   if (compositing_helper_)
     compositing_helper_->DidCommitCompositorFrame();
@@ -498,11 +835,16 @@ WebPreferences& RenderFrameImpl::GetWebkitPreferences() {
 
 int RenderFrameImpl::ShowContextMenu(ContextMenuClient* client,
                                      const ContextMenuParams& params) {
-  return render_view_->ShowContextMenu(client, params);
+  DCHECK(client);  // A null client means "internal" when we issue callbacks.
+  ContextMenuParams our_params(params);
+  our_params.custom_context.request_id = pending_context_menus_.Add(client);
+  Send(new FrameHostMsg_ContextMenu(routing_id_, our_params));
+  return our_params.custom_context.request_id;
 }
 
 void RenderFrameImpl::CancelContextMenu(int request_id) {
-  return render_view_->CancelContextMenu(request_id);
+  DCHECK(pending_context_menus_.Lookup(request_id));
+  pending_context_menus_.Remove(request_id);
 }
 
 blink::WebPlugin* RenderFrameImpl::CreatePlugin(
@@ -537,6 +879,11 @@ void RenderFrameImpl::LoadURLExternally(
   loadURLExternally(frame, request, policy);
 }
 
+void RenderFrameImpl::OnChildFrameProcessGone() {
+  if (compositing_helper_)
+    compositing_helper_->ChildFrameGone();
+}
+
 // blink::WebFrameClient implementation ----------------------------------------
 
 blink::WebPlugin* RenderFrameImpl::createPlugin(
@@ -644,12 +991,9 @@ blink::WebFrame* RenderFrameImpl::createChildFrame(
 
   RenderFrameImpl* child_render_frame = RenderFrameImpl::Create(
       render_view_.get(), routing_id);
-  // TODO(nasko): Over-conservative check for debugging.
-  CHECK(child_render_frame);
   blink::WebFrame* web_frame = WebFrame::create(child_render_frame,
                                                 child_frame_identifier);
-  // TODO(nasko): Over-conservative check for debugging.
-  CHECK(web_frame);
+  parent->appendChild(web_frame);
   child_render_frame->SetWebFrame(web_frame);
 
   return web_frame;
@@ -664,14 +1008,10 @@ void RenderFrameImpl::frameDetached(blink::WebFrame* frame) {
   // the parent frame.  This is different from createChildFrame() which is
   // called on the parent frame.
   CHECK(!is_detaching_);
-  // TODO(nasko): Remove all debug::Alias lines after diagnosing failures.
-  base::debug::Alias(frame);
 
   bool is_subframe = !!frame->parent();
-  base::debug::Alias(&is_subframe);
 
   int64 parent_frame_id = -1;
-  base::debug::Alias(&parent_frame_id);
   if (is_subframe)
     parent_frame_id = frame->parent()->identifier();
 
@@ -699,6 +1039,9 @@ void RenderFrameImpl::frameDetached(blink::WebFrame* frame) {
   CHECK_EQ(it->second, this);
   g_frame_map.Get().erase(it);
 
+  if (is_subframe)
+    frame->parent()->removeChild(frame);
+
   // |frame| is invalid after here.
   frame->close();
 
@@ -862,6 +1205,10 @@ void RenderFrameImpl::didStartProvisionalLoad(blink::WebFrame* frame) {
       RenderViewObserver, render_view_->observers(),
       DidStartProvisionalLoad(frame));
 
+  FOR_EACH_OBSERVER(
+      RenderFrameObserver, observers_,
+      DidStartProvisionalLoad());
+
   Send(new FrameHostMsg_DidStartProvisionalLoadForFrame(
        routing_id_, frame->identifier(),
        frame->parent() ? frame->parent()->identifier() : -1,
@@ -880,7 +1227,7 @@ void RenderFrameImpl::didReceiveServerRedirectForProvisionalLoad(
     return;
   }
   std::vector<GURL> redirects;
-  RenderViewImpl::GetRedirectChain(data_source, &redirects);
+  GetRedirectChain(data_source, &redirects);
   if (redirects.size() >= 2) {
     Send(new FrameHostMsg_DidRedirectProvisionalLoad(
         routing_id_,
@@ -901,6 +1248,9 @@ void RenderFrameImpl::didFailProvisionalLoad(
   // Call out to RenderViewImpl, so observers are notified.
   render_view_->didFailProvisionalLoad(frame, error);
 
+  FOR_EACH_OBSERVER(RenderFrameObserver, observers_,
+                    DidFailProvisionalLoad(error));
+
   bool show_repost_interstitial =
       (error.reason == net::ERR_CACHE_MISS &&
        EqualsASCII(failed_request.httpMethod(), "POST"));
@@ -968,7 +1318,8 @@ void RenderFrameImpl::didFailProvisionalLoad(
   // If we failed on a browser initiated request, then make sure that our error
   // page load is regarded as the same browser initiated request.
   if (!navigation_state->is_content_initiated()) {
-    render_view_->pending_navigation_params_.reset(new ViewMsg_Navigate_Params);
+    render_view_->pending_navigation_params_.reset(
+        new FrameMsg_Navigate_Params);
     render_view_->pending_navigation_params_->page_id =
         navigation_state->pending_page_id();
     render_view_->pending_navigation_params_->pending_history_list_offset =
@@ -990,20 +1341,94 @@ void RenderFrameImpl::didFailProvisionalLoad(
 
 void RenderFrameImpl::didCommitProvisionalLoad(blink::WebFrame* frame,
                                                bool is_new_navigation) {
-  // TODO(nasko): Move implementation here. Needed state:
-  // * page_id_
-  // * next_page_id_
-  // * history_list_offset_
-  // * history_list_length_
-  // * history_page_ids_
-  // Needed methods
-  // * webview
-  // * UpdateSessionHistory
-  // * GetLoadingUrl
-  render_view_->didCommitProvisionalLoad(frame, is_new_navigation);
+  DocumentState* document_state =
+      DocumentState::FromDataSource(frame->dataSource());
+  NavigationState* navigation_state = document_state->navigation_state();
+  InternalDocumentStateData* internal_data =
+      InternalDocumentStateData::FromDocumentState(document_state);
+
+  if (document_state->commit_load_time().is_null())
+    document_state->set_commit_load_time(Time::Now());
+
+  if (internal_data->must_reset_scroll_and_scale_state()) {
+    render_view_->webview()->resetScrollAndScaleState();
+    internal_data->set_must_reset_scroll_and_scale_state(false);
+  }
+  internal_data->set_use_error_page(false);
+
+  if (is_new_navigation) {
+    // When we perform a new navigation, we need to update the last committed
+    // session history entry with state for the page we are leaving.
+    render_view_->UpdateSessionHistory(frame);
+
+    // We bump our Page ID to correspond with the new session history entry.
+    render_view_->page_id_ = render_view_->next_page_id_++;
+
+    // Don't update history_page_ids_ (etc) for kSwappedOutURL, since
+    // we don't want to forget the entry that was there, and since we will
+    // never come back to kSwappedOutURL.  Note that we have to call
+    // UpdateSessionHistory and update page_id_ even in this case, so that
+    // the current entry gets a state update and so that we don't send a
+    // state update to the wrong entry when we swap back in.
+    if (render_view_->GetLoadingUrl(frame) != GURL(kSwappedOutURL)) {
+      // Advance our offset in session history, applying the length limit.
+      // There is now no forward history.
+      render_view_->history_list_offset_++;
+      if (render_view_->history_list_offset_ >= kMaxSessionHistoryEntries)
+        render_view_->history_list_offset_ = kMaxSessionHistoryEntries - 1;
+      render_view_->history_list_length_ =
+          render_view_->history_list_offset_ + 1;
+      render_view_->history_page_ids_.resize(
+          render_view_->history_list_length_, -1);
+      render_view_->history_page_ids_[render_view_->history_list_offset_] =
+          render_view_->page_id_;
+    }
+  } else {
+    // Inspect the navigation_state on this frame to see if the navigation
+    // corresponds to a session history navigation...  Note: |frame| may or
+    // may not be the toplevel frame, but for the case of capturing session
+    // history, the first committed frame suffices.  We keep track of whether
+    // we've seen this commit before so that only capture session history once
+    // per navigation.
+    //
+    // Note that we need to check if the page ID changed. In the case of a
+    // reload, the page ID doesn't change, and UpdateSessionHistory gets the
+    // previous URL and the current page ID, which would be wrong.
+    if (navigation_state->pending_page_id() != -1 &&
+        navigation_state->pending_page_id() != render_view_->page_id_ &&
+        !navigation_state->request_committed()) {
+      // This is a successful session history navigation!
+      render_view_->UpdateSessionHistory(frame);
+      render_view_->page_id_ = navigation_state->pending_page_id();
+
+      render_view_->history_list_offset_ =
+          navigation_state->pending_history_list_offset();
+
+      // If the history list is valid, our list of page IDs should be correct.
+      DCHECK(render_view_->history_list_length_ <= 0 ||
+             render_view_->history_list_offset_ < 0 ||
+             render_view_->history_list_offset_ >=
+                 render_view_->history_list_length_ ||
+             render_view_->history_page_ids_[render_view_->history_list_offset_]
+                  == render_view_->page_id_);
+    }
+  }
 
+  render_view_->didCommitProvisionalLoad(frame, is_new_navigation);
   FOR_EACH_OBSERVER(RenderFrameObserver, observers_,
                     DidCommitProvisionalLoad(is_new_navigation));
+
+  // Remember that we've already processed this request, so we don't update
+  // the session history again.  We do this regardless of whether this is
+  // a session history navigation, because if we attempted a session history
+  // navigation without valid HistoryItem state, WebCore will think it is a
+  // new navigation.
+  navigation_state->set_request_committed(true);
+
+  UpdateURL(frame);
+
+  // Check whether we have new encoding name.
+  render_view_->UpdateEncoding(frame, frame->view()->pageEncoding().utf8());
 }
 
 void RenderFrameImpl::didClearWindowObject(blink::WebFrame* frame,
@@ -1046,9 +1471,19 @@ void RenderFrameImpl::didChangeIcon(blink::WebFrame* frame,
 }
 
 void RenderFrameImpl::didFinishDocumentLoad(blink::WebFrame* frame) {
-  // TODO(nasko): Move implementation here. No state needed, just observers
-  // notification in before updating encoding.
+  WebDataSource* ds = frame->dataSource();
+  DocumentState* document_state = DocumentState::FromDataSource(ds);
+  document_state->set_finish_document_load_time(Time::Now());
+
+  Send(
+      new FrameHostMsg_DidFinishDocumentLoad(routing_id_, frame->identifier()));
+
+  // Call back to RenderViewImpl for observers to be notified.
+  // TODO(nasko): Remove once we have RenderFrameObserver for this method.
   render_view_->didFinishDocumentLoad(frame);
+
+  // Check whether we have new encoding name.
+  render_view_->UpdateEncoding(frame, frame->view()->pageEncoding().utf8());
 }
 
 void RenderFrameImpl::didHandleOnloadEvents(blink::WebFrame* frame) {
@@ -1060,20 +1495,53 @@ void RenderFrameImpl::didHandleOnloadEvents(blink::WebFrame* frame) {
 void RenderFrameImpl::didFailLoad(blink::WebFrame* frame,
                                   const blink::WebURLError& error) {
   // TODO(nasko): Move implementation here. No state needed.
+  WebDataSource* ds = frame->dataSource();
+  DCHECK(ds);
+
   render_view_->didFailLoad(frame, error);
+
+  const WebURLRequest& failed_request = ds->request();
+  base::string16 error_description;
+  GetContentClient()->renderer()->GetNavigationErrorStrings(
+      render_view_.get(),
+      frame,
+      failed_request,
+      error,
+      NULL,
+      &error_description);
+  Send(new FrameHostMsg_DidFailLoadWithError(routing_id_,
+                                             frame->identifier(),
+                                             failed_request.url(),
+                                             !frame->parent(),
+                                             error.reason,
+                                             error_description));
 }
 
 void RenderFrameImpl::didFinishLoad(blink::WebFrame* frame) {
   // TODO(nasko): Move implementation here. No state needed, just observers
   // notification before sending message to the browser process.
   render_view_->didFinishLoad(frame);
+  FOR_EACH_OBSERVER(RenderFrameObserver, observers_,
+                    DidFinishLoad());
 }
 
 void RenderFrameImpl::didNavigateWithinPage(blink::WebFrame* frame,
                                             bool is_new_navigation) {
-  // TODO(nasko): Move implementation here. No state needed, just observers
-  // notification before sending message to the browser process.
-  render_view_->didNavigateWithinPage(frame, is_new_navigation);
+  // If this was a reference fragment navigation that we initiated, then we
+  // could end up having a non-null pending navigation params.  We just need to
+  // update the ExtraData on the datasource so that others who read the
+  // ExtraData will get the new NavigationState.  Similarly, if we did not
+  // initiate this navigation, then we need to take care to reset any pre-
+  // existing navigation state to a content-initiated navigation state.
+  // DidCreateDataSource conveniently takes care of this for us.
+  didCreateDataSource(frame, frame->dataSource());
+
+  DocumentState* document_state =
+      DocumentState::FromDataSource(frame->dataSource());
+  NavigationState* new_state = document_state->navigation_state();
+  new_state->set_was_within_same_page(true);
+
+  didCommitProvisionalLoad(frame, is_new_navigation);
 }
 
 void RenderFrameImpl::didUpdateCurrentHistoryItem(blink::WebFrame* frame) {
@@ -1085,7 +1553,6 @@ void RenderFrameImpl::didUpdateCurrentHistoryItem(blink::WebFrame* frame) {
 void RenderFrameImpl::willRequestAfterPreconnect(
     blink::WebFrame* frame,
     blink::WebURLRequest& request) {
-  blink::WebReferrerPolicy referrer_policy = frame->document().referrerPolicy();
   // FIXME(kohei): This will never be set.
   WebString custom_user_agent;
 
@@ -1095,7 +1562,7 @@ void RenderFrameImpl::willRequestAfterPreconnect(
   // The args after |was_after_preconnect_request| are not used, and set to
   // correct values at |willSendRequest|.
   request.setExtraData(new webkit_glue::WebURLRequestExtraDataImpl(
-      referrer_policy, custom_user_agent, was_after_preconnect_request));
+      custom_user_agent, was_after_preconnect_request));
 }
 
 void RenderFrameImpl::willSendRequest(
@@ -1137,13 +1604,6 @@ void RenderFrameImpl::willSendRequest(
   if (internal_data->is_cache_policy_override_set())
     request.setCachePolicy(internal_data->cache_policy_override());
 
-  blink::WebReferrerPolicy referrer_policy;
-  if (internal_data->is_referrer_policy_set()) {
-    referrer_policy = internal_data->referrer_policy();
-  } else {
-    referrer_policy = frame->document().referrerPolicy();
-  }
-
   // The request's extra data may indicate that we should set a custom user
   // agent. This needs to be done here, after WebKit is through with setting the
   // user agent on its own.
@@ -1181,8 +1641,7 @@ void RenderFrameImpl::willSendRequest(
         navigation_state->should_replace_current_entry();
   }
   request.setExtraData(
-      new RequestExtraData(referrer_policy,
-                           render_view_->visibilityState(),
+      new RequestExtraData(render_view_->visibilityState(),
                            custom_user_agent,
                            was_after_preconnect_request,
                            routing_id_,
@@ -1221,13 +1680,21 @@ void RenderFrameImpl::willSendRequest(
         navigation_state->extra_headers().begin(),
         navigation_state->extra_headers().end(), "\n");
         i.GetNext(); ) {
-      request.setHTTPHeaderField(WebString::fromUTF8(i.name()),
-                                 WebString::fromUTF8(i.values()));
+      if (LowerCaseEqualsASCII(i.name(), "referer")) {
+        WebString referrer = WebSecurityPolicy::generateReferrerHeader(
+            blink::WebReferrerPolicyDefault,
+            request.url(),
+            WebString::fromUTF8(i.values()));
+        request.setHTTPReferrer(referrer, blink::WebReferrerPolicyDefault);
+      } else {
+        request.setHTTPHeaderField(WebString::fromUTF8(i.name()),
+                                   WebString::fromUTF8(i.values()));
+      }
     }
   }
 
   if (!render_view_->renderer_preferences_.enable_referrers)
-    request.clearHTTPHeaderField("Referer");
+    request.setHTTPReferrer(WebString(), blink::WebReferrerPolicyDefault);
 }
 
 void RenderFrameImpl::didReceiveResponse(
@@ -1251,8 +1718,7 @@ void RenderFrameImpl::didReceiveResponse(
   int http_status_code = response.httpStatusCode();
 
   // Record page load flags.
-  WebURLResponseExtraDataImpl* extra_data =
-      RenderViewImpl::GetExtraDataFromResponse(response);
+  WebURLResponseExtraDataImpl* extra_data = GetExtraDataFromResponse(response);
   if (extra_data) {
     document_state->set_was_fetched_via_spdy(
         extra_data->was_fetched_via_spdy());
@@ -1403,12 +1869,12 @@ void RenderFrameImpl::requestStorageQuota(
     blink::WebFrame* frame,
     blink::WebStorageQuotaType type,
     unsigned long long requested_size,
-    blink::WebStorageQuotaCallbacks* callbacks) {
+    blink::WebStorageQuotaCallbacks callbacks) {
   DCHECK(frame);
   WebSecurityOrigin origin = frame->document().securityOrigin();
   if (origin.isUnique()) {
     // Unique origins cannot store persistent state.
-    callbacks->didFail(blink::WebStorageQuotaErrorAbort);
+    callbacks.didFail(blink::WebStorageQuotaErrorAbort);
     return;
   }
   ChildThread::current()->quota_dispatcher()->RequestStorageQuota(
@@ -1493,6 +1959,63 @@ void RenderFrameImpl::didLoseWebGLContext(blink::WebFrame* frame,
       arb_robustness_status_code));
 }
 
+void RenderFrameImpl::showContextMenu(const blink::WebContextMenuData& data) {
+  ContextMenuParams params = ContextMenuParamsBuilder::Build(data);
+  params.source_type = GetRenderWidget()->context_menu_source_type();
+  if (params.source_type == ui::MENU_SOURCE_TOUCH_EDIT_MENU) {
+    params.x = GetRenderWidget()->touch_editing_context_menu_location().x();
+    params.y = GetRenderWidget()->touch_editing_context_menu_location().y();
+  }
+  GetRenderWidget()->OnShowHostContextMenu(&params);
+
+  // Plugins, e.g. PDF, don't currently update the render view when their
+  // selected text changes, but the context menu params do contain the updated
+  // selection. If that's the case, update the render view's state just prior
+  // to showing the context menu.
+  // TODO(asvitkine): http://crbug.com/152432
+  if (ShouldUpdateSelectionTextFromContextMenuParams(
+          render_view_->selection_text_,
+          render_view_->selection_text_offset_,
+          render_view_->selection_range_,
+          params)) {
+    render_view_->selection_text_ = params.selection_text;
+    // TODO(asvitkine): Text offset and range is not available in this case.
+    render_view_->selection_text_offset_ = 0;
+    render_view_->selection_range_ =
+        gfx::Range(0, render_view_->selection_text_.length());
+    Send(new ViewHostMsg_SelectionChanged(
+        routing_id_,
+        render_view_->selection_text_,
+        render_view_->selection_text_offset_,
+        render_view_->selection_range_));
+  }
+
+  params.frame_id = frame_->identifier();
+
+  // Serializing a GURL longer than kMaxURLChars will fail, so don't do
+  // it.  We replace it with an empty GURL so the appropriate items are disabled
+  // in the context menu.
+  // TODO(jcivelli): http://crbug.com/45160 This prevents us from saving large
+  //                 data encoded images.  We should have a way to save them.
+  if (params.src_url.spec().size() > GetMaxURLChars())
+    params.src_url = GURL();
+  render_view_->context_menu_node_ = data.node;
+
+#if defined(OS_ANDROID)
+  gfx::Rect start_rect;
+  gfx::Rect end_rect;
+  render_view_->GetSelectionBounds(&start_rect, &end_rect);
+  params.selection_start = gfx::Point(start_rect.x(), start_rect.bottom());
+  params.selection_end = gfx::Point(end_rect.right(), end_rect.bottom());
+#endif
+
+  Send(new FrameHostMsg_ContextMenu(routing_id_, params));
+}
+
+void RenderFrameImpl::forwardInputEvent(const blink::WebInputEvent* event) {
+  Send(new FrameHostMsg_ForwardInputEvent(routing_id_, event));
+}
+
 void RenderFrameImpl::AddObserver(RenderFrameObserver* observer) {
   observers_.AddObserver(observer);
 }
@@ -1502,4 +2025,189 @@ void RenderFrameImpl::RemoveObserver(RenderFrameObserver* observer) {
   observers_.RemoveObserver(observer);
 }
 
+void RenderFrameImpl::OnStop() {
+  FOR_EACH_OBSERVER(RenderFrameObserver, observers_, OnStop());
+}
+
+// Tell the embedding application that the URL of the active page has changed.
+void RenderFrameImpl::UpdateURL(WebFrame* frame) {
+  WebDataSource* ds = frame->dataSource();
+  DCHECK(ds);
+
+  const WebURLRequest& request = ds->request();
+  const WebURLRequest& original_request = ds->originalRequest();
+  const WebURLResponse& response = ds->response();
+
+  DocumentState* document_state = DocumentState::FromDataSource(ds);
+  NavigationState* navigation_state = document_state->navigation_state();
+  InternalDocumentStateData* internal_data =
+      InternalDocumentStateData::FromDocumentState(document_state);
+
+  FrameHostMsg_DidCommitProvisionalLoad_Params params;
+  params.http_status_code = response.httpStatusCode();
+  params.is_post = false;
+  params.post_id = -1;
+  params.page_id = render_view_->page_id_;
+  params.frame_id = frame->identifier();
+  params.frame_unique_name = frame->uniqueName();
+  params.socket_address.set_host(response.remoteIPAddress().utf8());
+  params.socket_address.set_port(response.remotePort());
+  WebURLResponseExtraDataImpl* extra_data = GetExtraDataFromResponse(response);
+  if (extra_data)
+    params.was_fetched_via_proxy = extra_data->was_fetched_via_proxy();
+  params.was_within_same_page = navigation_state->was_within_same_page();
+  params.security_info = response.securityInfo();
+
+  // Set the URL to be displayed in the browser UI to the user.
+  params.url = render_view_->GetLoadingUrl(frame);
+  DCHECK(!is_swapped_out_ || params.url == GURL(kSwappedOutURL));
+
+  if (frame->document().baseURL() != params.url)
+    params.base_url = frame->document().baseURL();
+
+  GetRedirectChain(ds, &params.redirects);
+  params.should_update_history = !ds->hasUnreachableURL() &&
+      !response.isMultipartPayload() && (response.httpStatusCode() != 404);
+
+  params.searchable_form_url = internal_data->searchable_form_url();
+  params.searchable_form_encoding = internal_data->searchable_form_encoding();
+
+  params.gesture = render_view_->navigation_gesture_;
+  render_view_->navigation_gesture_ = NavigationGestureUnknown;
+
+  // Make navigation state a part of the DidCommitProvisionalLoad message so
+  // that commited entry has it at all times.
+  WebHistoryItem item = frame->currentHistoryItem();
+  if (item.isNull()) {
+    item.initialize();
+    item.setURLString(request.url().spec().utf16());
+  }
+  params.page_state = HistoryItemToPageState(item);
+
+  if (!frame->parent()) {
+    // Top-level navigation.
+
+    // Reset the zoom limits in case a plugin had changed them previously. This
+    // will also call us back which will cause us to send a message to
+    // update WebContentsImpl.
+    render_view_->webview()->zoomLimitsChanged(
+        ZoomFactorToZoomLevel(kMinimumZoomFactor),
+        ZoomFactorToZoomLevel(kMaximumZoomFactor));
+
+    // Set zoom level, but don't do it for full-page plugin since they don't use
+    // the same zoom settings.
+    HostZoomLevels::iterator host_zoom =
+        render_view_->host_zoom_levels_.find(GURL(request.url()));
+    if (render_view_->webview()->mainFrame()->document().isPluginDocument()) {
+      // Reset the zoom levels for plugins.
+      render_view_->webview()->setZoomLevel(0);
+    } else {
+      if (host_zoom != render_view_->host_zoom_levels_.end())
+        render_view_->webview()->setZoomLevel(host_zoom->second);
+    }
+
+    if (host_zoom != render_view_->host_zoom_levels_.end()) {
+      // This zoom level was merely recorded transiently for this load.  We can
+      // erase it now.  If at some point we reload this page, the browser will
+      // send us a new, up-to-date zoom level.
+      render_view_->host_zoom_levels_.erase(host_zoom);
+    }
+
+    // Update contents MIME type for main frame.
+    params.contents_mime_type = ds->response().mimeType().utf8();
+
+    params.transition = navigation_state->transition_type();
+    if (!PageTransitionIsMainFrame(params.transition)) {
+      // If the main frame does a load, it should not be reported as a subframe
+      // navigation.  This can occur in the following case:
+      // 1. You're on a site with frames.
+      // 2. You do a subframe navigation.  This is stored with transition type
+      //    MANUAL_SUBFRAME.
+      // 3. You navigate to some non-frame site, say, google.com.
+      // 4. You navigate back to the page from step 2.  Since it was initially
+      //    MANUAL_SUBFRAME, it will be that same transition type here.
+      // We don't want that, because any navigation that changes the toplevel
+      // frame should be tracked as a toplevel navigation (this allows us to
+      // update the URL bar, etc).
+      params.transition = PAGE_TRANSITION_LINK;
+    }
+
+    // If the page contained a client redirect (meta refresh, document.loc...),
+    // set the referrer and transition appropriately.
+    if (ds->isClientRedirect()) {
+      params.referrer =
+          Referrer(params.redirects[0], ds->request().referrerPolicy());
+      params.transition = static_cast<PageTransition>(
+          params.transition | PAGE_TRANSITION_CLIENT_REDIRECT);
+    } else {
+      params.referrer = RenderViewImpl::GetReferrerFromRequest(
+          frame, ds->request());
+    }
+
+    base::string16 method = request.httpMethod();
+    if (EqualsASCII(method, "POST")) {
+      params.is_post = true;
+      params.post_id = ExtractPostId(item);
+    }
+
+    // Send the user agent override back.
+    params.is_overriding_user_agent = internal_data->is_overriding_user_agent();
+
+    // Track the URL of the original request.  We use the first entry of the
+    // redirect chain if it exists because the chain may have started in another
+    // process.
+    if (params.redirects.size() > 0)
+      params.original_request_url = params.redirects.at(0);
+    else
+      params.original_request_url = original_request.url();
+
+    params.history_list_was_cleared =
+        navigation_state->history_list_was_cleared();
+
+    // Save some histogram data so we can compute the average memory used per
+    // page load of the glyphs.
+    UMA_HISTOGRAM_COUNTS_10000("Memory.GlyphPagesPerLoad",
+                               blink::WebGlyphCache::pageCount());
+
+    // This message needs to be sent before any of allowScripts(),
+    // allowImages(), allowPlugins() is called for the new page, so that when
+    // these functions send a ViewHostMsg_ContentBlocked message, it arrives
+    // after the FrameHostMsg_DidCommitProvisionalLoad message.
+    Send(new FrameHostMsg_DidCommitProvisionalLoad(routing_id_, params));
+  } else {
+    // Subframe navigation: the type depends on whether this navigation
+    // generated a new session history entry. When they do generate a session
+    // history entry, it means the user initiated the navigation and we should
+    // mark it as such. This test checks if this is the first time UpdateURL
+    // has been called since WillNavigateToURL was called to initiate the load.
+    if (render_view_->page_id_ > render_view_->last_page_id_sent_to_browser_)
+      params.transition = PAGE_TRANSITION_MANUAL_SUBFRAME;
+    else
+      params.transition = PAGE_TRANSITION_AUTO_SUBFRAME;
+
+    DCHECK(!navigation_state->history_list_was_cleared());
+    params.history_list_was_cleared = false;
+
+    // Don't send this message while the subframe is swapped out.
+    if (!is_swapped_out())
+      Send(new FrameHostMsg_DidCommitProvisionalLoad(routing_id_, params));
+  }
+
+  render_view_->last_page_id_sent_to_browser_ =
+      std::max(render_view_->last_page_id_sent_to_browser_,
+               render_view_->page_id_);
+
+  // If we end up reusing this WebRequest (for example, due to a #ref click),
+  // we don't want the transition type to persist.  Just clear it.
+  navigation_state->set_transition_type(PAGE_TRANSITION_LINK);
+}
+
+void RenderFrameImpl::didStartLoading() {
+  Send(new FrameHostMsg_DidStartLoading(routing_id_));
+}
+
+void RenderFrameImpl::didStopLoading() {
+  Send(new FrameHostMsg_DidStopLoading(routing_id_));
+}
+
 }  // namespace content