This is a regression from issue 524120. Now that the widget updates are deferred until after the frame is detached from the document (and beyond the lifetime of ScriptForbiddenScope, too), it is possible to attach another document to the frame before a new document is installed. The attached document can then be used to bypass the same-origin policy.
Chrome 47.0.2526.27 (Beta)
Chrome 48.0.2540.0 (Dev)
Chromium 48.0.2544.0 + Pepper Flash 19.0.0.207 (Release build compiled today)
Attachment: CVE-2015-6772