<iframe src="target site"/> w = frames; The proto of w.focus comes from the caller's global object. But, the proto of w.window.focus, w.document.open and w.location.replace comes from the target site's global object. Thus, bug 369334 is still available.
Created attachment 275942 [details] testcase 1 - window.focus and eval This tries to get cookies for www.apple.com.
Created attachment 275943 [details] testcase 2 - document.open and location setter This tries to get cookies for www.apple.com.
Since bug 369334 is fixed only on trunk by XOW, the testcases work on 1.8/1.8.0 branches as well.
Created attachment 276172 [details] [diff] [review] Proposed fix The problem here is the early binding of 'window' that we do: in particular, looking up window on another origin's window (or frame element) will return an XOW. But the XOW is from the wrong scope, leading to this bug. This patch makes us check that the parent of any XOW that's being returned is the right parent.
Fix checked into trunk.