Update V8 security token correctly when installing a new Document.

third_party/WebKit/LayoutTests/http/tests/security/opened-document-security-origin-resets-on-navigation.html

+<!DOCTYPE html>
+<html>
+<head>
+<script src="/js-test-resources/js-test.js"></script>
+<script>
+var jsTestIsAsync = true;
+function runTest() {
+  var frame = document.body.appendChild(document.createElement("iframe"));
+  frame.src = "http://localhost:8000/security/resources/opened-document-security-origin-resets-on-navigation-frame.html";
+  frame.onload = function () {

[dcheng, 2016/02/05 00:48:08]

After this loads, frame tree looks like this:

[ Main frame: origin 127.0.0.1:8000 ]
 `--[ Subframe A: origin localhost:8000 ]
     `--[Subframe B: origin doesn't matter yet ]

+    frame.onload = null;
+    var blob = new Blob(["<script>(" + function () {

[dcheng, 2016/02/05 00:48:08]

The blob URL has origin 127.0.0.1:8000. Once subframe A is finished loading, the
blob URL is loaded into subframe B. The frame tree + origins now look like this:

[ Main frame: origin 127.0.0.1:8000 ]
 `--[ Subframe A: origin localhost:8000 ]
     `--[Subframe B: 127.0.0.1:8000 (blob URL) ]

+      frame = document.documentElement.appendChild(document.createElement("iframe"));

[dcheng, 2016/02/05 00:48:08]

After subframe C loads, frame tree looks like this:

[ Main frame: origin 127.0.0.1:8000 ]
 `--[ Subframe A: origin localhost:8000 ]
     `--[Subframe B: 127.0.0.1:8000 (blob URL) ]
         `--[Subframe C: 127.0.0.1:8000 ]

+      frame.contentWindow.setTimeout("parent.document.open()", 0);

[dcheng, 2016/02/05 00:48:08]

document.open() apparently aliases the parent window's security origin:

Once this timer fires, the frame tree + origins look like this:
[ Main frame: origin 127.0.0.1:8000 ]
 `--[ Subframe A: origin localhost:8000 ]
     `--[Subframe B: origin localhost:8000 ]

Subframe C is detached due to the document.open() call, so it is no longer in
the frame tree.

+      setTimeout(function () {

[dcheng, 2016/02/05 00:48:08]

This setTimeout is set on the context of Subframe B. But the document.open()
call does NOT cancel it.

So now we have:
[ Main frame: origin 127.0.0.1:8000 ]
 `--[ Subframe A: origin localhost:8000 ]
     `--[Subframe B: javascript URL: origin = ???? ]

The javascript URL should have origin 127.0.0.1:8000, because it originates from
the blob URL. However, due to the bug of calling setSecurityOrigin():
- The Document has the right security origin (127.0.0.1:8000)
- But the security token of the v8 Context is not updated and is still
localhost:8000.

So v8 allows parent.eval to proceed, even though parent (subframe A) is
cross-origin to subframe B.

+          location = "javascript:'<script>setTimeout(top.finishJSTest, 0); parent.eval(\"alert(location)\"); top.testFailed(\"context security origin was not updated!\");</scr" + "ipt>'" }, 0);
+    } + "())</sc" + "ript>"], {type: "text/html"});
+    frame.contentWindow[0].location = URL.createObjectURL(blob);
+  }
+}
+</script>
+</head>
+<body onload="runTest()">
+</body>
+</html>