When a navigation triggers a process swap (PSON) into a fresh WebContent process under Site Isolation, the new process inherits the page's back/forward list but its WebProcessProxy::m_previouslyApprovedFilePaths set is empty. After commit, the new process can surface child-frame history items via BackForwardUpdateItem IPC. The per-process file URL approval gate at Source/WebKit/UIProcess/WebBackForwardList.cpp:768 (MESSAGE_CHECK(process, !itemURL.protocolIsFile() || process->wasPreviouslyApprovedFileURL(itemURL))) then trips because the new process was only seeded with the top-level navigation URL — not with iframe URLs from the target back/forward item's frame-state tree. Repro: 6 of 7 sample layout tests crash UIProcess with EXC_BREAKPOINT (MESSAGE_CHECK trap) when SiteIsolationEnabled is on by default: - fast/events/pageshow-pagehide-on-back-cached-with-frames.html - fast/history/go-back-then-navigate-subframe.html - fast/history/go-back-to-object-subframe.html - fast/history/history-back-initial-vs-final-url.html - fast/loader/form-state-restore-with-frames.html - fast/scrolling/iframe-scrollable-after-back.html Fix: walk navigation.targetItem() and currentItem()'s frame-state trees via copyMainFrameStateWithChildren() (mainFrameState() returns a FrameState with cleared children — children live on WebBackForwardListFrameItem::m_children) recursively in continueNavigationInNewProcess. Approve both urlString and originalURLString file URLs on newProcess before any IPC referencing them.