Update from https://crrev.com/312600

sky/engine/bindings/core/v8/WindowProxy.cpp

 /*
  * Copyright (C) 2008, 2009, 2011 Google Inc. All rights reserved.
  *
  * Redistribution and use in source and binary forms, with or without
  * modification, are permitted provided that the following conditions are
  * met:
  *
  *     * Redistributions of source code must retain the above copyright
  * notice, this list of conditions and the following disclaimer.
  *     * Redistributions in binary form must reproduce the above
@@ skipping 91 matching lines @@
 
 void WindowProxy::clearForNavigation()
 {
     if (!isContextInitialized())
         return;
 
     ScriptState::Scope scope(m_scriptState.get());
 
     m_document.clear();
 
-    // Clear the document wrapper cache before turning on access checks on
-    // the old LocalDOMWindow wrapper. This way, access to the document wrapper
-    // will be protected by the security checks on the LocalDOMWindow wrapper.
-    clearDocumentProperty();
-
     v8::Handle<v8::Object> windowWrapper = V8Window::findInstanceInPrototypeChain(m_global.newLocal(m_isolate), m_isolate);
     ASSERT(!windowWrapper.IsEmpty());
     windowWrapper->TurnOnAccessCheck();
     disposeContext(DetachGlobal);
 }
 
 // Create a new environment and setup the global object.
 //
 // The global object corresponds to a LocalDOMWindow instance. However, to
 // allow properties of the JS LocalDOMWindow instance to be shadowed, we
@@ skipping 154 matching lines @@
 
 void WindowProxy::updateDocumentProperty()
 {
     ScriptState::Scope scope(m_scriptState.get());
     v8::Handle<v8::Context> context = m_scriptState->context();
     v8::Handle<v8::Value> documentWrapper = toV8(m_frame->document(), context->Global(), context->GetIsolate());
     ASSERT(documentWrapper == m_document.newLocal(m_isolate) || m_document.isEmpty());
     if (m_document.isEmpty())
         updateDocumentWrapper(v8::Handle<v8::Object>::Cast(documentWrapper));
 
-    // If instantiation of the document wrapper fails, clear the cache
-    // and let the LocalDOMWindow accessor handle access to the document.
-    if (documentWrapper.IsEmpty()) {
-        clearDocumentProperty();
-        return;
-    }
     ASSERT(documentWrapper->IsObject());
     context->Global()->ForceSet(v8AtomicString(m_isolate, "document"), documentWrapper, static_cast<v8::PropertyAttribute>(v8::ReadOnly | v8::DontDelete));
 
     // We also stash a reference to the document on the inner global object so that
     // LocalDOMWindow objects we obtain from JavaScript references are guaranteed to have
     // live Document objects.
     V8HiddenValue::setHiddenValue(m_isolate, toInnerGlobalObject(context), V8HiddenValue::document(m_isolate), documentWrapper);
 }
 
-void WindowProxy::clearDocumentProperty()
-{
-    ASSERT(isContextInitialized());
-    if (!m_world->isMainWorld())
-        return;
-    v8::HandleScope handleScope(m_isolate);
-    m_scriptState->context()->Global()->ForceDelete(v8AtomicString(m_isolate, "document"));
-}
-
 void WindowProxy::updateDocument()
 {
     ASSERT(m_world->isMainWorld());
     if (!isGlobalInitialized())
         return;
     if (!isContextInitialized())
         return;
     updateDocumentProperty();
 }
 
 } // namespace blink