If you have a vuln on a subdomain, obviously you can't access the main domain. I know you can circumvent this by setting document.domain on both sides, however when I tested it, if you don't actually manually set document.domain on the target it doesn't work? Perhaps someone could explain the theory behind that.

Also, are there any other ways to meddle with SOP? I know you can hook window.open and execute arbitrary code, but that's not the stealthiest of methods. I saw rsnake mentioning hooking iframes, it still doesn't let you execute so you are relying on the user being stupid enough to type in credentials or whatever it may be.