IE9 UXSS: Reading Non-HTML IFrame Content from an Inline Event Handler

When an IFrame loaded non-HTML content (such as a .mht MHTML file), accessing its document property was normally blocked. However, doing so from an inline event handler on a button — rather than from a regular function — bypassed the check. The access had to happen synchronously within the event handler’s own call frame.

<iframe name="iFrame" src="goto_google.mht"></iframe>

<input onclick="alert(iFrame.document.URL);" type="button" value="Read">
<!-- Must be inline — does NOT work if called through a function -->

The security check for non-HTML content access was applied differently depending on the call stack. Inline event handlers ran in a slightly different execution context than script called through a function, and the check in that path was less stringent. Moving the alert(iFrame.document.URL) call into a named function re-enabled the protection.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE9 UXSS: Getting Function Constructor from a Cached location.replace] :: [IE9 UXSS: Object.defineProperty Intercepts Cross-Origin Navigation] >