The location object in IE9 could be called as a function. When called this way with a javascript: URL, it executed the script in the IFrame’s context, bypassing the normal javascript: protocol security checks that apply when setting location.href.

iFrame.location("javascript:alert(document.URL + '\\n\\n' + document.body.innerText)");

Calling iFrame.location(...) as a function was not a documented behavior and apparently bypassed a security check that existed on the assignment path (iFrame.location.href = "javascript:..." was blocked). The invocation path lacked the equivalent check, allowing arbitrary script execution in the IFrame’s context regardless of its origin.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.