diff --git a/lib/Runtime/Library/JavascriptArray.cpp b/lib/Runtime/Library/JavascriptArray.cpp
index 57536405935..09d8a9e49e9 100644
--- a/lib/Runtime/Library/JavascriptArray.cpp
+++ b/lib/Runtime/Library/JavascriptArray.cpp
@@ -7563,7 +7563,7 @@ namespace Js
         {
            return res;
         }
-        if (JavascriptArray::Is(args[0]))
+        if (JavascriptArray::Is(args[0]) && !JavascriptArray::FromVar(args[0])->IsCrossSiteObject())
         {
 #if ENABLE_COPYONACCESS_ARRAY
             JavascriptLibrary::CheckAndConvertCopyOnAccessNativeIntArray<Var>(args[0]);
diff --git a/test/Array/shift_unshift.baseline b/test/Array/shift_unshift.baseline
index bb805682a93..3217e7ce5f2 100644
--- a/test/Array/shift_unshift.baseline
+++ b/test/Array/shift_unshift.baseline
@@ -48,6 +48,7 @@ e instanceOf TypeError = true
 a.length = 1
 ary.length = 18
 arr.length = 6
+Crosssite new length: 2
 Overridden unshift
 Overridden unshift
 Overridden unshift
diff --git a/test/Array/shift_unshift.js b/test/Array/shift_unshift.js
index 324a7456d16..2ba3bf55c5b 100644
--- a/test/Array/shift_unshift.js
+++ b/test/Array/shift_unshift.js
@@ -140,6 +140,14 @@ function test1(arr)
 
 WScript.Echo("arr.length = " + test1(new Array(10)));
 
+// OS 9357224: Array.prototype.unshift does not marshal parameters correctly
+function crossSiteUnshift() {
+    var sc0 = WScript.LoadScript('', 'samethread');
+    sc0.ary = [1];
+    return sc0.eval('Array.prototype.unshift.call(ary, null)');
+}
+WScript.Echo("Crosssite new length: " + crossSiteUnshift()); // 2
+
 //
 // To check bailouts for inlined unshift
 //
@@ -164,4 +172,3 @@ function foo()
 Array.prototype.unshift = function(){WScript.Echo ("Overridden unshift")};
 foo();
 WScript.Echo (a);
-