I found this while writing Astalanumerator. Safari allows you to overwrite top and parent with native code and maybe other stuff (I haven’t tried). This allows you to define something on domain A and call it on domain B using the top and parent. I’d email Apple about it but the last time I reported XSS on the Apple store they ignored me.
You could use this in dom based XSS situations when you have control over a link. The attack would work like this:-
But the remote site would include a iframe to the target page and refining parent/top as setTimeout or eval. You could also use “name” in this instance to provide a XSS payload.
Here is the POC for the cross domain in action, I use subdomains in this instance but any domain could be used:-
