One of the more direct UXSS patterns: caching the window property of a same-origin IFrame and then redirecting the IFrame cross-origin left a live window reference that could read the new document’s content without any origin check.

var cachedWindow = wIFrame.window;
wIFrame.location.replace("http://www.google.com");
// After navigation:
alert(cachedWindow.document.body.innerText); // Cross-origin read

The window.window self-reference created an extra layer of indirection that was not invalidated when the IFrame navigated. The cached window reference remained valid after the cross-origin redirect, and its document property pointed into the new origin’s DOM. This was a particularly clean bypass because it required no tricks beyond caching the self-reference property.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.