When an IFrame loaded an XML feed or other non-HTML content, accessing its document from an inline event handler bypassed the same-origin check that protected it from script in regular functions. This was closely related to the MHTML finding from earlier.

<iframe name="iFrame" src="feeds.xml"></iframe>

<input onclick="alert(iFrame.document.URL + '\n\n' + iFrame.document.body.innerText);"
       type="button" value="Read Feed">
<!-- Inline only — moving this code into a function re-enables the protection -->

The access had to occur synchronously within the event handler’s own activation record. If the same code was placed in a named function and called from the event handler, the check was applied and the access was denied. This suggested the security boundary check was inspecting the call stack depth or the type of the outermost activation frame.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.