Experiment with blocking script inside fragment-parser-inserted `<iframe srcdoc>`.

third_party/WebKit/Source/core/dom/Document.cpp

Index: third_party/WebKit/Source/core/dom/Document.cpp
diff --git a/third_party/WebKit/Source/core/dom/Document.cpp b/third_party/WebKit/Source/core/dom/Document.cpp
index da5e6752a16732027fc1b61eefd3dd5003721fd2..149561f8cdad9baddb47a9948cd30cacaa9c6487 100644
--- a/third_party/WebKit/Source/core/dom/Document.cpp
+++ b/third_party/WebKit/Source/core/dom/Document.cpp
@@ -458,6 +458,7 @@ Document::Document(const DocumentInit& initializer,
       m_sawElementsInKnownNamespaces(false),
       m_isSrcdocDocument(false),
       m_isMobileDocument(false),
+      m_isFragmentParserCreatedSrcdoc(false),
       m_layoutView(0),
       m_contextDocument(initializer.contextDocument()),
       m_hasFullscreenSupplement(false),
@@ -5482,6 +5483,13 @@ void Document::initSecurityContext(const DocumentInit& initializer) {
   if (initializer.shouldTreatURLAsSrcdocDocument()) {
     m_isSrcdocDocument = true;
     setBaseURLOverride(initializer.parentBaseURL());
+
+    if (Element* owner = domWindow()->frameElement()) {
+      HTMLIFrameElement* iframe = toHTMLIFrameElement(owner);
+      m_isFragmentParserCreatedSrcdoc =
+          iframe->createdByFragmentParser() ||
+          iframe->document().isFragmentParserCreatedSrcdoc();
+    }
   }
 
   if (getSecurityOrigin()->isUnique() &&