Plumb the correct owner document through DocumentInit::m_owner.

third_party/WebKit/Source/core/dom/SecurityContext.cpp

 /*
  * Copyright (C) 2011 Google Inc. All Rights Reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions
  * are met:
  * 1. Redistributions of source code must retain the above copyright
  *    notice, this list of conditions and the following disclaimer.
  * 2. Redistributions in binary form must reproduce the above copyright
  *    notice, this list of conditions and the following disclaimer in the
@@ skipping 14 matching lines @@
  */
 
 #include "core/dom/SecurityContext.h"
 
 #include "core/frame/csp/ContentSecurityPolicy.h"
 #include "platform/weborigin/SecurityOrigin.h"
 
 namespace blink {
 
 SecurityContext::SecurityContext()
-    : m_haveInitializedSecurityOrigin(false)
-    , m_sandboxFlags(SandboxNone)
+    : m_sandboxFlags(SandboxNone)
     , m_hostedInReservedIPRange(false)
     , m_insecureRequestsPolicy(InsecureRequestsDoNotUpgrade)
     , m_enforceStrictMixedContentChecking(false)
 {
 }
 
 SecurityContext::~SecurityContext()
 {
 }
 
 DEFINE_TRACE(SecurityContext)
 {
     visitor->trace(m_contentSecurityPolicy);
 }
 
 void SecurityContext::setSecurityOrigin(PassRefPtr<SecurityOrigin> securityOrigin)
 {
     m_securityOrigin = securityOrigin;
-    m_haveInitializedSecurityOrigin = true;
 }
 
 void SecurityContext::setContentSecurityPolicy(PassRefPtrWillBeRawPtr<ContentSecurityPolicy> contentSecurityPolicy)
 {
     m_contentSecurityPolicy = contentSecurityPolicy;
 }
 
-bool SecurityContext::isSecureTransitionTo(const KURL& url) const
-{
-    // If we haven't initialized our security origin by now, this is probably
-    // a new window created via the API (i.e., that lacks an origin and lacks
-    // a place to inherit the origin from).
-    if (!haveInitializedSecurityOrigin())
-        return true;

[dcheng, 2016/02/24 21:59:02]

There are at least two scenarios to consider here:

1) Creating a new top-level page with something like noopener, which prevents
inheriting the security origin. In that case, the LocalDOMWindow object has a
unique origin. No other frame could have injected properties/event listeners
into it, so it's OK to just use a new Window object. From an efficiency
standpoint, it's probably more efficient to reuse the Window object, but from a
perspective of understanding the code, I think it's nice to remove this edge
case.

2) Unfortunately, this doesn't interact well with page popups. Page popups
currently a LocalDOMWindow supplement: without this logic, the LocalDOMWindow
changes after the supplement is installed. Then we crash inside v8 bindings when
the page popup tries to access its bindings. To fix this, I've changed the page
popup supplement to be bound to a frame.

-
-    RefPtr<SecurityOrigin> other = SecurityOrigin::create(url);
-    return securityOrigin()->canAccess(other.get());
-}
-
 void SecurityContext::enforceSandboxFlags(SandboxFlags mask)
 {
     m_sandboxFlags |= mask;
 
     if (isSandboxed(SandboxOrigin) && securityOrigin() && !securityOrigin()->isUnique()) {
         setSecurityOrigin(SecurityOrigin::createUnique());
         didUpdateSecurityOrigin();
     }
 }
 
 } // namespace blink