Within a normally running page:
- Setting document.domain can change the origin object.
- Calling document.open or document.write from a script executing in another document will set the targeted document to have the same origin object as the entered one.

There are a couple of other instances in the code where setSecurityOrigin is called outside of tests:
- View Source documents set a unique origin during document construction, as does the XML source viewer
- XSLT can create a document object from string data, which has its origin set explicitly. (CSP is reset in that case; FP should probably do the same)
- When cloning a document node

For the latter cases, I think we just need to ensure that the policy is reset properly; they're really just alternate paths to document creation.

In each of these cases, the policy is being set correctly now -- whenever the origin changes, we call Platform::duplicateFeaturePolicyWithOrigin to create a new policy out of the old one, with the origin updated.

This particular issue was addressed durign review of https://codereview.chromium.org/2651883008, and committed as https://chromium.googlesource.com/chromium/src/+/4a6080201a29001f398861f94f8a473d646facd2