Daniel: I think this is basically one of your concerns from: https://chromium-review.googlesource.com/c/chromium/src/+/600707

This seems to be one bug to fix before we continue with MimeHandlerView migration to using OOPIF. Marking it as a blocker.

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/596e6b3281a8cc2c4b646553e4cde169a29a1d1d

commit 596e6b3281a8cc2c4b646553e4cde169a29a1d1d
Author: Ehsan Karamad <ekaramad@chromium.org>
Date: Fri May 25 04:26:02 2018

Cleanup plugin element frames when the layout tree is detached

Unlike frames, plugin elements (<embed> and <object>) are updated
when their layout tree is rebuilt. However, due to an oversight,
<embed> or <object> elements displaying subframes would only have
the associated content view (FrameView) torn down, leaving a
dangling content frame.

This led to some interesting side effects:
- When transitioning from a local frame to a plugin, the content
  frame would remain live, with JS still happily running.
- When transitioning from a remote frame to a plugin,
- When navigating a remote frame from one URL to another, the
  element would stop updating since the FrameView would be torn
  down but a new one would never be created. Note that this was
  not (as much of) a problem for local frames, since local frames
  re-create the LocalFrameView on every navigation.
With this CL, if a plugin element has an associated content frame,
use that to clean up the state associated with the element when the
layout tree is detached. This can cause the browser context to be
re-created: this matches the behavior of Edge and Firefox.

Note that there is still one edge case where Blink behaves oddly:
if the navigation fails and should display fallback content, the
content frame still remains attached. This will be addressed in
followups.

Link to whatwg issue: https://github.com/whatwg/html/issues/3576

Bug: 776510, 781880
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_layout_tests_layout_ng
Change-Id: Id18605fbe602ea6c0076c1d579345cdcf28cc984
Reviewed-on: https://chromium-review.googlesource.com/996314
Commit-Queue: Ehsan Karamad <ekaramad@chromium.org>
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Cr-Commit-Position: refs/heads/master@{#561768}
[modify] https://crrev.com/596e6b3281a8cc2c4b646553e4cde169a29a1d1d/content/browser/site_per_process_browsertest.cc
[add] https://crrev.com/596e6b3281a8cc2c4b646553e4cde169a29a1d1d/third_party/WebKit/LayoutTests/external/wpt/html/semantics/embedded-content/resources/test_page.html
[add] https://crrev.com/596e6b3281a8cc2c4b646553e4cde169a29a1d1d/third_party/WebKit/LayoutTests/external/wpt/html/semantics/embedded-content/the-embed-element/detach-frame-on-src-change.html
[add] https://crrev.com/596e6b3281a8cc2c4b646553e4cde169a29a1d1d/third_party/WebKit/LayoutTests/external/wpt/html/semantics/embedded-content/the-object-element/detach-frame-on-data-change.html
[modify] https://crrev.com/596e6b3281a8cc2c4b646553e4cde169a29a1d1d/third_party/WebKit/LayoutTests/http/tests/security/xss-DENIED-object-element.html
[modify] https://crrev.com/596e6b3281a8cc2c4b646553e4cde169a29a1d1d/third_party/blink/renderer/core/exported/web_frame_test.cc
[modify] https://crrev.com/596e6b3281a8cc2c4b646553e4cde169a29a1d1d/third_party/blink/renderer/core/frame/frame_test_helpers.cc
[modify] https://crrev.com/596e6b3281a8cc2c4b646553e4cde169a29a1d1d/third_party/blink/renderer/core/html/html_plugin_element.cc

The following revision refers to this bug:
  https://chromium.googlesource.com/chromium/src.git/+/815589c705ec4f012c42cc3cd5e98519227b17e4

commit 815589c705ec4f012c42cc3cd5e98519227b17e4
Author: Ehsan Karamad <ekaramad@chromium.org>
Date: Sat Jun 02 01:33:34 2018

Revert "Cleanup plugin element frames when the layout tree is detached"

This reverts commit 596e6b3281a8cc2c4b646553e4cde169a29a1d1d.

Reason for revert: DetachLayoutTree could be called at inopportune times
such as style recalc or during layout. This caused several crashes.

Original change's description:
> Cleanup plugin element frames when the layout tree is detached
>
> Unlike frames, plugin elements (<embed> and <object>) are updated
> when their layout tree is rebuilt. However, due to an oversight,
> <embed> or <object> elements displaying subframes would only have
> the associated content view (FrameView) torn down, leaving a
> dangling content frame.
>
> This led to some interesting side effects:
> - When transitioning from a local frame to a plugin, the content
>   frame would remain live, with JS still happily running.
> - When transitioning from a remote frame to a plugin,
> - When navigating a remote frame from one URL to another, the
>   element would stop updating since the FrameView would be torn
>   down but a new one would never be created. Note that this was
>   not (as much of) a problem for local frames, since local frames
>   re-create the LocalFrameView on every navigation.
> With this CL, if a plugin element has an associated content frame,
> use that to clean up the state associated with the element when the
> layout tree is detached. This can cause the browser context to be
> re-created: this matches the behavior of Edge and Firefox.
>
> Note that there is still one edge case where Blink behaves oddly:
> if the navigation fails and should display fallback content, the
> content frame still remains attached. This will be addressed in
> followups.
>
> Link to whatwg issue: https://github.com/whatwg/html/issues/3576
>
> Bug: 776510, 781880
> Cq-Include-Trybots: master.tryserver.chromium.linux:linux_layout_tests_layout_ng
> Change-Id: Id18605fbe602ea6c0076c1d579345cdcf28cc984
> Reviewed-on: https://chromium-review.googlesource.com/996314
> Commit-Queue: Ehsan Karamad <ekaramad@chromium.org>
> Reviewed-by: Daniel Cheng <dcheng@chromium.org>
> Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
> Cr-Commit-Position: refs/heads/master@{#561768}

TBR=dcheng@chromium.org,creis@chromium.org,alexmos@chromium.org,ekaramad@chromium.org

# Not skipping CQ checks because original CL landed > 1 day ago.

Bug: 776510, 781880, 847216,  846708 
Change-Id: I762631b92463352bea9bf3102d90a13b72776786
Cq-Include-Trybots: master.tryserver.chromium.linux:linux_layout_tests_layout_ng
Reviewed-on: https://chromium-review.googlesource.com/1083500
Reviewed-by: Daniel Cheng <dcheng@chromium.org>
Reviewed-by: Alex Moshchuk <alexmos@chromium.org>
Reviewed-by: Ehsan Karamad <ekaramad@chromium.org>
Commit-Queue: Ehsan Karamad <ekaramad@chromium.org>
Cr-Commit-Position: refs/heads/master@{#563902}
[modify] https://crrev.com/815589c705ec4f012c42cc3cd5e98519227b17e4/content/browser/site_per_process_browsertest.cc
[delete] https://crrev.com/5b3021d75ad1bca4408f05c566de4a92793514f7/third_party/WebKit/LayoutTests/external/wpt/html/semantics/embedded-content/resources/test_page.html
[delete] https://crrev.com/5b3021d75ad1bca4408f05c566de4a92793514f7/third_party/WebKit/LayoutTests/external/wpt/html/semantics/embedded-content/the-embed-element/detach-frame-on-src-change.html
[delete] https://crrev.com/5b3021d75ad1bca4408f05c566de4a92793514f7/third_party/WebKit/LayoutTests/external/wpt/html/semantics/embedded-content/the-object-element/detach-frame-on-data-change.html
[modify] https://crrev.com/815589c705ec4f012c42cc3cd5e98519227b17e4/third_party/WebKit/LayoutTests/http/tests/security/xss-DENIED-object-element.html
[modify] https://crrev.com/815589c705ec4f012c42cc3cd5e98519227b17e4/third_party/blink/renderer/core/exported/web_frame_test.cc
[modify] https://crrev.com/815589c705ec4f012c42cc3cd5e98519227b17e4/third_party/blink/renderer/core/frame/frame_test_helpers.cc
[modify] https://crrev.com/815589c705ec4f012c42cc3cd5e98519227b17e4/third_party/blink/renderer/core/html/html_plugin_element.cc