Browserscope deducts points for allowing access to contentDocument across domains: http://www.browserscope.org/security/about http://www.stevesouders.com/blog/2009/11/11/security-tests-added-to-browserscope/ We're actually allowing access to a XOW, but that's probably more than we should be allowing. Jonas Sicking said in an email: "I think we solved [bug 422025] the wrong way. While I don't know of any exploits currently, it's introducing unneccesary complexity into the platform. It's the one case where a page can hold a reference to a node from another domain. We should just make .contentDocument return null for cross-origin frames." Bug 422025 comment 11 explains why we don't want to throw.