From the discussion of bug 60066, it was pointed out that the content settings code for dom storage uses the frame's url, when it should be using it's securityOrigin. Note that this is for the user-created content settings policy.
https://code.google.com/p/chromium/issues/detail?id=230557