NOTE: This page is a recollection of what I've written previously. I do not guarantee it's accuracy.
There are several ways in which you can navigate to a new URL in WebKit: you can have the browser chrome tell it to after initializing a new sandbox as needed and notifying in-sandbox extensions, or you can use links, forms, or JavaScript. However you do it these signals converge into the page’s DocumentLoader.
The first thing this DocumentLoader does upon receiving these signals is to cancel any requests after a page has been unloaded, fetches info for security checks and headers, possibly find another frame in the frame tree to hand the load off to, considers opening a new window, and considers just scrolling the page instead before handing off to the next method.
Which then determines a history entry to write into and determines iframe sandboxing rules, for the subsequent method to perform the additional security checks, does some performance logging for WebInspector, considers just scrolling the page again, and checks with the UI for permission and adjustments (e.g. for “new tab” gestures).
Once that check succeeds it stops all in-progress loads, registers to be notified of updates, takes a fast path for tab history, and possibly notifies the UI of any attached textual form data (e.g. to store website credentials, or handle POST forms from internal pages).
Once that check succeeds it hands the task off onto the DocumentLoader which performs more intensive security checks specified by HTTP or HTML, notifies various parties of any progress, and dispatches to the HTTP, Service Worker, or app manifest caches. The HTTP cache in turn dispatches to the network sandbox, or for custom URI schemes the UI process, to actually fetch the page.
The requests in the network sandbox can be translated into a download whenever the UI wants by telling it to save any data it receives to disk and notify a different party of any progress.