Silverlight’s enableHtmlAccess parameter was intended to allow a trusted Silverlight application to interact with its hosting HTML page. When set to true for a cross-origin .xap file, it effectively gave that foreign application script access to the embedding page’s DOM.

<embed
  source="http://www.iframe.com/xss.xap"
  type="application/x-silverlight"
  enableHtmlAccess="true"
/>

A .xap served from another domain could use the Silverlight HTML bridge to call HtmlPage.Window.Eval() or similar APIs in the context of the hosting page. The fix required that enableHtmlAccess be restricted to same-origin .xap files, or that a server-side cross-domain policy file explicitly grant the permission.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.