url with a leading NULL byte can bypass cross origin protection.
https://code.google.com/p/chromium/issues/detail?id=37383
Universal XSS in frame elements handling
https://code.google.com/p/chromium/issues/detail?id=143439
Pwnium UXSS variation
https://code.google.com/p/chromium/issues/detail?id=117550
UXSS with document.baseURI
https://code.google.com/p/chromium/issues/detail?id=90222
Universal XSS using widget updates in ContainerNode::parserRemoveChild
https://bugs.chromium.org/p/chromium/issues/detail?id=560011
Security: Universal XSS using Flash message loop
https://bugs.chromium.org/p/chromium/issues/detail?id=569496
Cross-origin access using window.execScript + code execution
https://bugs.chromium.org/p/chromium/issues/detail?id=83096
Universal XSS using contentWindow.eval
https://bugs.chromium.org/p/chromium/issues/detail?id=83743
UXSS with empty SecurityOrigin
https://bugs.chromium.org/p/chromium/issues/detail?id=89453
UXSS / frame escape with window.open
https://bugs.chromium.org/p/chromium/issues/detail?id=89520
UXSS with document.baseURI
https://bugs.chromium.org/p/chromium/issues/detail?id=90222
Arbitrary cross-origin bypass using __defineGetter__ prototype override
https://bugs.chromium.org/p/chromium/issues/detail?id=93416
UXSS using Object.getPrototypeOf
https://bugs.chromium.org/p/chromium/issues/detail?id=93759
Cross-origin access to window.__proto__
https://bugs.chromium.org/p/chromium/issues/detail?id=95671
UXSS and use-after-free when DOMWindow is accessed after navigation
https://bugs.chromium.org/p/chromium/issues/detail?id=96047
UXSS via Object::GetRealNamedPropertyInPrototypeChain
https://bugs.chromium.org/p/chromium/issues/detail?id=96885
UXSS via HTMLObjectElement
https://bugs.chromium.org/p/chromium/issues/detail?id=98053
UXSS: XSLT-generated document should inherit its SecurityOrigin from the source document
https://bugs.chromium.org/p/chromium/issues/detail?id=99512
UXSS: executeIfJavaScriptURL gets confused by synchronous frame loads
https://bugs.chromium.org/p/chromium/issues/detail?id=99750
Location bar spoofing when using replaceState in unload event handler
https://bugs.chromium.org/p/chromium/issues/detail?id=101235
Pwnium UXSS variation
https://bugs.chromium.org/p/chromium/issues/detail?id=117550
v8 builtins object exposed to user causing UXSS
https://bugs.chromium.org/p/chromium/issues/detail?id=143437
Universal XSS in frame elements handling
https://bugs.chromium.org/p/chromium/issues/detail?id=143439