url with a leading NULL byte can bypass cross origin protection.https://code.google.com/p/chromium/issues/detail?id=37383Universal XSS in frame elements handlinghttps://code.google.com/p/chromium/issues/detail?id=143439Pwnium UXSS variation        https://code.google.com/p/chromium/issues/detail?id=117550            UXSS with document.baseURIhttps://code.google.com/p/chromium/issues/detail?id=90222Universal XSS using widget updates in ContainerNode::parserRemoveChild        https://bugs.chromium.org/p/chromium/issues/detail?id=560011Security: Universal XSS using Flash message loop        https://bugs.chromium.org/p/chromium/issues/detail?id=569496Cross-origin access using window.execScript + code execution        https://bugs.chromium.org/p/chromium/issues/detail?id=83096    Universal XSS using contentWindow.eval        https://bugs.chromium.org/p/chromium/issues/detail?id=83743UXSS with empty SecurityOrigin    https://bugs.chromium.org/p/chromium/issues/detail?id=89453    UXSS / frame escape with window.open        https://bugs.chromium.org/p/chromium/issues/detail?id=89520    UXSS with document.baseURIhttps://bugs.chromium.org/p/chromium/issues/detail?id=90222Arbitrary cross-origin bypass using __defineGetter__ prototype override    https://bugs.chromium.org/p/chromium/issues/detail?id=93416UXSS using Object.getPrototypeOfhttps://bugs.chromium.org/p/chromium/issues/detail?id=93759Cross-origin access to window.__proto__https://bugs.chromium.org/p/chromium/issues/detail?id=95671UXSS and use-after-free when DOMWindow is accessed after navigationhttps://bugs.chromium.org/p/chromium/issues/detail?id=96047UXSS via Object::GetRealNamedPropertyInPrototypeChainhttps://bugs.chromium.org/p/chromium/issues/detail?id=96885UXSS via HTMLObjectElementhttps://bugs.chromium.org/p/chromium/issues/detail?id=98053UXSS: XSLT-generated document should inherit its SecurityOrigin from the source documenthttps://bugs.chromium.org/p/chromium/issues/detail?id=99512UXSS: executeIfJavaScriptURL gets confused by synchronous frame loadshttps://bugs.chromium.org/p/chromium/issues/detail?id=99750Location bar spoofing when using replaceState in unload event handlerhttps://bugs.chromium.org/p/chromium/issues/detail?id=101235Pwnium UXSS variationhttps://bugs.chromium.org/p/chromium/issues/detail?id=117550v8 builtins object exposed to user causing UXSShttps://bugs.chromium.org/p/chromium/issues/detail?id=143437Universal XSS in frame elements handling        https://bugs.chromium.org/p/chromium/issues/detail?id=143439