url with a leading NULL byte can bypass cross origin protection. https://code.google.com/p/chromium/issues/detail?id=37383 Universal XSS in frame elements handling https://code.google.com/p/chromium/issues/detail?id=143439 Pwnium UXSS variation https://code.google.com/p/chromium/issues/detail?id=117550 UXSS with document.baseURI https://code.google.com/p/chromium/issues/detail?id=90222 Universal XSS using widget updates in ContainerNode::parserRemoveChild https://bugs.chromium.org/p/chromium/issues/detail?id=560011 Security: Universal XSS using Flash message loop https://bugs.chromium.org/p/chromium/issues/detail?id=569496 Cross-origin access using window.execScript + code execution https://bugs.chromium.org/p/chromium/issues/detail?id=83096 Universal XSS using contentWindow.eval https://bugs.chromium.org/p/chromium/issues/detail?id=83743 UXSS with empty SecurityOrigin https://bugs.chromium.org/p/chromium/issues/detail?id=89453 UXSS / frame escape with window.open https://bugs.chromium.org/p/chromium/issues/detail?id=89520 UXSS with document.baseURI https://bugs.chromium.org/p/chromium/issues/detail?id=90222 Arbitrary cross-origin bypass using __defineGetter__ prototype override https://bugs.chromium.org/p/chromium/issues/detail?id=93416 UXSS using Object.getPrototypeOf https://bugs.chromium.org/p/chromium/issues/detail?id=93759 Cross-origin access to window.__proto__ https://bugs.chromium.org/p/chromium/issues/detail?id=95671 UXSS and use-after-free when DOMWindow is accessed after navigation https://bugs.chromium.org/p/chromium/issues/detail?id=96047 UXSS via Object::GetRealNamedPropertyInPrototypeChain https://bugs.chromium.org/p/chromium/issues/detail?id=96885 UXSS via HTMLObjectElement https://bugs.chromium.org/p/chromium/issues/detail?id=98053 UXSS: XSLT-generated document should inherit its SecurityOrigin from the source document https://bugs.chromium.org/p/chromium/issues/detail?id=99512 UXSS: executeIfJavaScriptURL gets confused by synchronous frame loads https://bugs.chromium.org/p/chromium/issues/detail?id=99750 Location bar spoofing when using replaceState in unload event handler https://bugs.chromium.org/p/chromium/issues/detail?id=101235 Pwnium UXSS variation https://bugs.chromium.org/p/chromium/issues/detail?id=117550 v8 builtins object exposed to user causing UXSS https://bugs.chromium.org/p/chromium/issues/detail?id=143437 Universal XSS in frame elements handling https://bugs.chromium.org/p/chromium/issues/detail?id=143439