According to my testing neither WebKit nor Blink does the equivalent of calling InitializeHostDefinedRealm in step 16 of document.open.

WebKit's document.open and its [JavaScript binding code](https://trac.webkit.org/browser/trunk/Source/WebCore/bindings/js/JSHTMLDocumentCustom.cpp?rev= 204629#L153), for example, just sets up the parser state, clears event listeners, & resets some security context, but goes ahead and uses the same global object.

In fact, it's quite possible that a whole bunch of mobile content are dependent on this behavior given the combined market share WebKit and Blink has had in the last decade. In fact, it's easier for author to depend on the fact the global object persists over document.open than that they change. e.g. shared global states, instanceof checks, etc...