Null out LocalDOMWindow::m_frame on navigation.

third_party/WebKit/Source/core/frame/LocalDOMWindow.cpp

Index: third_party/WebKit/Source/core/frame/LocalDOMWindow.cpp
diff --git a/third_party/WebKit/Source/core/frame/LocalDOMWindow.cpp b/third_party/WebKit/Source/core/frame/LocalDOMWindow.cpp
index 9cc840b854ca626a02aa7e869f226ec9e9cf84d1..cb86f708e6fb40bb860a73ed7720d59238a9ed31 100644
--- a/third_party/WebKit/Source/core/frame/LocalDOMWindow.cpp
+++ b/third_party/WebKit/Source/core/frame/LocalDOMWindow.cpp
@@ -528,7 +528,7 @@ void LocalDOMWindow::unregisterProperty(DOMWindowProperty* property)
 
 void LocalDOMWindow::reset()
 {
-    frameDestroyed();
+    m_frameObserver->contextDestroyed();
 
     m_screen = nullptr;
     m_history = nullptr;
@@ -546,8 +546,6 @@ void LocalDOMWindow::reset()
     m_hasBeenReset = true;
 #endif
 
-    resetLocation();
-
     LocalDOMWindow::notifyContextDestroyed();
 }
 
@@ -667,17 +665,8 @@ ApplicationCache* LocalDOMWindow::applicationCache() const
 
 Navigator* LocalDOMWindow::navigator() const
 {
-    if (!isCurrentlyDisplayedInFrame() && (!m_navigator || m_navigator->frame())) {

[dcheng, 2015/09/28 06:45:09]

I tested with the test case in
https://code.google.com/p/chromium/issues/detail?id=522791 and confirmed that it
does not work any more.

-        // We return a navigator with null frame instead of returning null
-        // pointer as other functions do, in order to allow users to access
-        // functions such as navigator.product.
-        m_navigator = Navigator::create(nullptr);
-    }
     if (!m_navigator)
         m_navigator = Navigator::create(frame());
-    // As described above, when not dispayed in the frame, the returning
-    // navigator should not be associated with the frame.
-    ASSERT(isCurrentlyDisplayedInFrame() || !m_navigator->frame());
     return m_navigator.get();
 }
 
@@ -1375,8 +1364,9 @@ void LocalDOMWindow::dispatchLoadEvent()
         timing.markLoadEventStart();
         dispatchEvent(loadEvent, document());
         timing.markLoadEventEnd();
-    } else
+    } else {
         dispatchEvent(loadEvent, document());
+    }

[dcheng, 2015/09/28 06:45:09]

I'm not sure why, but the presubmit checks are randomly complaining about this
and line 1456, so I went ahead and fixed them.

 
     // For load events, send a separate load event to the enclosing frame only.
     // This is a DOM extension and is independent of bubbling/capturing rules of
@@ -1462,9 +1452,9 @@ PassRefPtrWillBeRawPtr<DOMWindow> LocalDOMWindow::open(const String& urlString,
     // Get the target frame for the special cases of _top and _parent.
     // In those cases, we schedule a location change right now and return early.
     Frame* targetFrame = nullptr;
-    if (frameName == "_top")
+    if (frameName == "_top") {
         targetFrame = frame()->tree().top();
-    else if (frameName == "_parent") {
+    } else if (frameName == "_parent") {
         if (Frame* parent = frame()->tree().parent())
             targetFrame = parent;
         else
@@ -1518,6 +1508,11 @@ DEFINE_TRACE(LocalDOMWindow)
 
 LocalFrame* LocalDOMWindow::frame() const
 {
+    // If the LocalDOMWindow still has a frame reference, that frame must point
+    // back to this LocalDOMWindow: otherwise, it's easy to get into a situation
+    // where script execution leaks between different LocalDOMWindows.
+    if (m_frameObserver->frame())
+        ASSERT_WITH_SECURITY_IMPLICATION(m_frameObserver->frame()->domWindow() == this);
     return m_frameObserver->frame();
 }