Accessing window[0].self on a cross-origin IFrame returned a window reference that bypassed same-origin checks, allowing the attacker page to read the IFrame’s document URL and body content directly.

alert(window[0].self.document.URL + '\n\n' + window[0].self.document.body.innerText);

The self property is normally restricted across origins, but in this case the double-indirection through window[0].self was not subject to the same check that blocked window[0].document. The self accessor had a looser implementation that returned the window directly rather than going through the origin-gated document property path.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.