Initialize the new WindowProxy when handing off the global object.

Source/bindings/core/v8/WindowProxy.cpp

 /*
  * Copyright (C) 2008, 2009, 2011 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 138 matching lines @@
 void WindowProxy::takeGlobalFrom(WindowProxy* windowProxy)
 {
     v8::HandleScope handleScope(m_isolate);
     ASSERT(!windowProxy->isContextInitialized());
     // If a ScriptState was created, the context was initialized at some point.
     // Make sure the global object was detached from the proxy by calling clearForNavigation().
     if (windowProxy->m_scriptState)
         ASSERT(windowProxy->m_scriptState->isGlobalObjectDetached());
     m_global.set(m_isolate, windowProxy->m_global.newLocal(m_isolate));
     windowProxy->m_global.clear();
+    // Initialize the window proxy now, to re-establish the connection between
+    // the global object and the v8::Context. This is really only needed for a
+    // RemoteDOMWindow, since it has no scripting environment of its own.
+    // Without this, existing script references to a swapped in RemoteDOMWindow
+    // would be broken until that RemoteDOMWindow was vended again through an
+    // interface like window.frames.
+    initializeIfNeeded();

[haraken, 2015/04/24 05:06:04]

Just to confirm: This initializeIfNeeded() creates a new Context and its global
object but doesn't set the newly created global object to m_global (because
you've already set m_global in the above). Is this expected?

 }
 
 // Create a new environment and setup the global object.
 //
 // The global object corresponds to a DOMWindow instance. However, to
 // allow properties of the JS DOMWindow instance to be shadowed, we
 // use a shadow object as the global object and use the JS DOMWindow
 // instance as the prototype for that shadow object. The JS DOMWindow
 // instance is undetectable from JavaScript code because the __proto__
 // accessors skip that object.
@@ skipping 221 matching lines @@
     // If two tokens are equal, then the SecurityOrigins canAccess each other.
     // If two tokens are not equal, then we have to call canAccess.
     // Note: we can't use the HTTPOrigin if it was set from the DOM.
     String token;
     // There are several situations where v8 needs to do a full canAccess check,
     // so set an empty security token instead:
     // - document.domain was modified
     // - the frame is showing the initial empty document
     // - the frame is remote
     bool delaySet = m_world->isMainWorld()
-        && (origin->domainWasSetInDOM()
-            || m_frame->isRemoteFrame()
+        && (m_frame->isRemoteFrame()
+            || origin->domainWasSetInDOM()
             || toLocalFrame(m_frame)->loader().stateMachine()->isDisplayingInitialEmptyDocument());
     if (origin && !delaySet)
         token = origin->toString();
 
     // An empty or "null" token means we always have to call
     // canAccess. The toString method on securityOrigins returns the
     // string "null" for empty security origins and for security
     // origins that should only allow access to themselves. In this
     // case, we use the global object as the security token to avoid
     // calling canAccess when a script accesses its own objects.
@@ skipping 98 matching lines @@
 
 void WindowProxy::updateSecurityOrigin(SecurityOrigin* origin)
 {
     ASSERT(m_world->isMainWorld());
     if (!isContextInitialized())
         return;
     setSecurityToken(origin);
 }
 
 } // namespace blink