Throw security errors for attribute access on detached windows.

third_party/WebKit/Source/bindings/core/v8/V8Initializer.cpp

Index: third_party/WebKit/Source/bindings/core/v8/V8Initializer.cpp
diff --git a/third_party/WebKit/Source/bindings/core/v8/V8Initializer.cpp b/third_party/WebKit/Source/bindings/core/v8/V8Initializer.cpp
index 29dffc506ac32a55cf33ceb5480614f47b5f3a20..9995dc05e1095bf699c510020fc350230173dd40 100644
--- a/third_party/WebKit/Source/bindings/core/v8/V8Initializer.cpp
+++ b/third_party/WebKit/Source/bindings/core/v8/V8Initializer.cpp
@@ -69,6 +69,17 @@
 
 namespace blink {
 
+// TODO(dcheng): This function should be changed to return a DOMWindow.
+// Returning Frame is problematic, as detached DOMWindow/Location objects do not
+// point back to a Frame. For Window, this is not a problem: the security origin
+// can still be determined from the Document. However, Blink currently violates
+// the HTML standard for Location [1] and only has one Location object for the
+// Frame; this makes it impossible to determine the security origin of the a
+// detached Location object.
+//
+// From https://whatwg.org/C/browsers.html#the-location-interface:
+// Each Window object is associated with a unique instance of a Location object,
+// allocated when the Window object is created.
 static Frame* findFrame(v8::Isolate* isolate,
                         v8::Local<v8::Object> host,
                         v8::Local<v8::Value> data) {