If you run the attached layout test in both Chromium and Safari they produce different results. When the callback fires in resoureces/xss-inactive-closure-child-2.html , Chromium raises an exception that 'document' is undefined . Safari has 'document' defined, by 'document.bar' is undefined. I think both are safe, but I'd like for someone to confirm this. In addition, I'm not sure if Chromium's behavior is correct. It seems like 'document' should still be defined since the handler held a reference to it. But I'm not sure what the difference between invalidating something for GC purposes is vs. invalidating it for SOP / security purposes.
Created attachment 45118 [details] patch illustrating tests Note that I used Git for the first time to generate this patch, instead of svn-create-patch ; let me know if I bungled it somehow.
Created attachment 45356 [details] Patch
changing the product - there is no security risk here.
updating the test to match Safari / WebKit's behavior, which arguably makes more sense. We can mark it FAIL downstream and argue about it there if there's disagreement.
Comment on attachment 45356 [details] Patch Thanks!
Comment on attachment 45356 [details] Patch Clearing flags on attachment: 45356 Committed r52497: <http://trac.webkit.org/changeset/52497>
All reviewed patches have been landed. Closing bug.