Forgot to add - this causes the javascript TypeError Illegal Invocation, and causes pages to not work correctly.

Confirmed.

Repro step:
1. Load the following URL
    data:text/html,<title>PASS</title><img id="title" src="" alt="" /><script>alert(document.title)</script>

Expected: Alert dialog with "PASS" opens.
Actual: Nothing happens (Illegal Invocation on DevTools Console)

CHANGELOG URL:
  https://chromium.googlesource.com/chromium/src/+log/49cbb3034b92f09f510ae5e1bb9934ffbbd2631e..6737af735864f6477d52f5795d2ad1287a7a150f

suspecting https://chromium.googlesource.com/chromium/src/+/0fb38d20480525c24720b73aaca3845dba98082c
yukishiino @, Could you please check the above issue & help us in finding an owner it its not yours.

51.0.2670.0 - Good build
51.0.2671.0 - Bad build

Able to repro on Win7, Mac OSX 10.11.5, Ubuntu 14.04 using Chrome Dev 53.0.2763.0, Beta 52.0.2743.33, Stable 51.0.2704.84 and Canary 53.0.2766.0 using URL provided in c#2.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/cccf8630bac25057f6afd30febf8c428cd486b8c

commit cccf8630bac25057f6afd30febf8c428cd486b8c
Author: yukishiino <yukishiino@chromium.org>
Date: Mon Jun 13 15:52:34 2016

binding: Fixes the fallback mechanism of Document's named properties.

The old implementation only works for
a) there is a hidden prototype, and documentWrapper->GetPrototype()
  actually returns itself, or
b) fallbacked attributes are data-type properties.

Since we made attributes be accessor-type properties _and_ removed
the hidden prototype, the old implementation no longer works.

Fixed the issue using V8's GetRealNamedPropertyInPrototypeChain().

BUG= 619036 

Review-Url: https://codereview.chromium.org/2065523002
Cr-Commit-Position: refs/heads/master@{#399461}

[add] https://crrev.com/cccf8630bac25057f6afd30febf8c428cd486b8c/third_party/WebKit/LayoutTests/fast/dom/HTMLDocument/named-item-not-found.html
[modify] https://crrev.com/cccf8630bac25057f6afd30febf8c428cd486b8c/third_party/WebKit/Source/bindings/core/v8/WindowProxy.cpp

Confirmed the fix on ToT.

this is working fine in #53.0.2767.0 on Win7, Mac OS X 10.11.5, Ubuntu 14.04.

adding TE - verified labels.

[Automated comment] Request affecting a post-stable build (M51), manual review required.

Your change meets the bar and is auto-approved for M52 (branch: 2743)

[Automated comment] Request affecting a post-stable build (M51), manual review required.

Before we approve merge to M51, Could you please confirm whether this change is well baked in Canary and safe to merge? Per comment #8 it is already verified in Canary but is it a safe merge?

Please note that we're cutting Stable RC soon for this week release. I will approve the merge based on reply for comment #12. 

Please merge the CL asap before 5PM so that it gets picked for the next beta promotion scheduled for 6/15. 

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/cccf8630bac25057f6afd30febf8c428cd486b8c

commit cccf8630bac25057f6afd30febf8c428cd486b8c
Author: yukishiino <yukishiino@chromium.org>
Date: Mon Jun 13 15:52:34 2016

binding: Fixes the fallback mechanism of Document's named properties.

The old implementation only works for
a) there is a hidden prototype, and documentWrapper->GetPrototype()
  actually returns itself, or
b) fallbacked attributes are data-type properties.

Since we made attributes be accessor-type properties _and_ removed
the hidden prototype, the old implementation no longer works.

Fixed the issue using V8's GetRealNamedPropertyInPrototypeChain().

BUG= 619036 

Review-Url: https://codereview.chromium.org/2065523002
Cr-Commit-Position: refs/heads/master@{#399461}

[add] https://crrev.com/cccf8630bac25057f6afd30febf8c428cd486b8c/third_party/WebKit/LayoutTests/fast/dom/HTMLDocument/named-item-not-found.html
[modify] https://crrev.com/cccf8630bac25057f6afd30febf8c428cd486b8c/third_party/WebKit/Source/bindings/core/v8/WindowProxy.cpp

yukishiino@, could you please take a look at comments #12 & #13 and reply asap. Thank you very much.

Sorry for the late response.  And thanks for testing with Canary.

I think the fix is quite safe.  The changed code is only used for look-up of named properties of |window.document| and no other places.  Thus, it's safe to merge.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/a1173e2a3f72674e2f41fa7988c8b35f99741737

commit a1173e2a3f72674e2f41fa7988c8b35f99741737
Author: Yuki Shiino <yukishiino@chromium.org>
Date: Wed Jun 15 06:16:24 2016

binding: Fixes the fallback mechanism of Document's named properties.

The old implementation only works for
a) there is a hidden prototype, and documentWrapper->GetPrototype()
  actually returns itself, or
b) fallbacked attributes are data-type properties.

Since we made attributes be accessor-type properties _and_ removed
the hidden prototype, the old implementation no longer works.

Fixed the issue using V8's GetRealNamedPropertyInPrototypeChain().

BUG= 619036 

Review-Url: https://codereview.chromium.org/2065523002
Cr-Commit-Position: refs/heads/master@{#399461}
(cherry picked from commit cccf8630bac25057f6afd30febf8c428cd486b8c)

Review URL: https://codereview.chromium.org/2070463002 .

Cr-Commit-Position: refs/branch-heads/2743@{#363}
Cr-Branched-From: 2b3ae3b8090361f8af5a611712fc1a5ab2de53cb-refs/heads/master@{#394939}

[add] https://crrev.com/a1173e2a3f72674e2f41fa7988c8b35f99741737/third_party/WebKit/LayoutTests/fast/dom/HTMLDocument/named-item-not-found.html
[modify] https://crrev.com/a1173e2a3f72674e2f41fa7988c8b35f99741737/third_party/WebKit/Source/bindings/core/v8/WindowProxy.cpp

Approving merge to M51 branch 2704 based on comment #8 and comment #18. Please merge ASAP. Thank you.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/7de5e915f79aba616c2f349992c420246037a0ef

commit 7de5e915f79aba616c2f349992c420246037a0ef
Author: Yuki Shiino <yukishiino@chromium.org>
Date: Wed Jun 15 06:26:16 2016

binding: Fixes the fallback mechanism of Document's named properties.

The old implementation only works for
a) there is a hidden prototype, and documentWrapper->GetPrototype()
  actually returns itself, or
b) fallbacked attributes are data-type properties.

Since we made attributes be accessor-type properties _and_ removed
the hidden prototype, the old implementation no longer works.

Fixed the issue using V8's GetRealNamedPropertyInPrototypeChain().

BUG= 619036 

Review-Url: https://codereview.chromium.org/2065523002
Cr-Commit-Position: refs/heads/master@{#399461}
(cherry picked from commit cccf8630bac25057f6afd30febf8c428cd486b8c)

Review URL: https://codereview.chromium.org/2069953002 .

Cr-Commit-Position: refs/branch-heads/2704@{#722}
Cr-Branched-From: 6e53600def8f60d8c632fadc70d7c1939ccea347-refs/heads/master@{#386251}

[add] https://crrev.com/7de5e915f79aba616c2f349992c420246037a0ef/third_party/WebKit/LayoutTests/fast/dom/HTMLDocument/named-item-not-found.html
[modify] https://crrev.com/7de5e915f79aba616c2f349992c420246037a0ef/third_party/WebKit/Source/bindings/core/v8/WindowProxy.cpp

Thank you guys for your all efforts to land the fix.  As the fix has got merged to M51 and M52, I close this issue as Fixed.

Tested the issue on Win7, Mac OS X 10.11.5, Ubuntu 14.04 using Stable # 51.0.2704.103, displaying 'Pass' alert message.

Adding TE-verified labels for stable.

Tested this on Win7, Mac OSX 10.11.5, Ubuntu 14.04 using Beta 52.0.2743.49 and used the URL given in c#2
 data:text/html,<title>PASS</title><img id="title" src="" alt="" /><script>alert(document.title)</script>

Alert dialog with "PASS" displayed, adding TE-Verified labels.