When a link element is notified about its removal from the tree and the linked stylesheet happens to be the last pending one in the document, the fragment anchor may be updated, which triggers layout updates when it should be forbidden. In special circumstances, the updates may end up resolving a FontFace load promise, which allows an attacker to bypass the ScriptForbiddenScope and corrupt the DOM tree. The exploit circumvents all the nifty protections planned in https://codereview.chromium.org/2478573002/ as a bonus.
Chrome 54.0.2840.87 (Stable)
Chrome 55.0.2883.35 (Beta)
Chrome 56.0.2906.0 (Dev)
Chromium 56.0.2914.0 (Release build compiled today)