IE10 Sandbox Multiple Flags Bypass via createHTMLDocument

A sandboxed iframe with only allow-scripts set could bypass restrictions on cookie access and same-domain content reads by creating a new document object through document.implementation.createHTMLDocument. The new document inherited the real origin rather than the sandboxed origin, making all the sandbox’s restrictions irrelevant.

<!-- parent page -->
<iframe sandbox="allow-scripts" src="sandboxed.html"></iframe>
<script>
document.cookie = "COOKIE WAS SET BY THE TOP WINDOW";
</script>

<!-- sandboxed.html -->
<script>
var myDoc = document.implementation.createHTMLDocument("A_TITLE");
alert(myDoc.cookie);
// Also possible: use the download behavior on myDoc to read files from the same domain.
</script>

The sandboxed document’s document.cookie was correctly blocked, but a freshly created HTML document via createHTMLDocument — and likely createDocument as well — was not subject to the same sandboxing. The new document shared the page’s real origin, so cookies and same-domain fetches worked freely through it.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [DoS: Loading an HTC Behavior on a createHTMLDocument Element Crashes IE] :: [IE10 Sandbox Bypass via Windows Media Player launchURL] >