Persistent Modeless Window Surviving Navigation

This bug had been sitting around for a long time without a report because on its own it seemed minor. When a modeless dialog is opened from inside an iFrame with a DOM object passed as the second argument, the dialog survives even after the parent window navigates to a completely different URL. The dialog stays alive for as long as the tab remains open.

<!-- index.html: hosts the iFrame -->
<iframe src="iframe.html" width="240" height="40"></iframe>

// iframe.html: opens the modeless from inside the iFrame
function main() {
    showModelessDialog('modeless.html', window, 'dialogwidth=400px;dialogHeight=200px');
    parent.location = 'http://www.bing.com';
}

The second argument to showModelessDialog must be a DOM object — passing window here is what triggers the persistence. After the parent navigates to Bing, the modeless dialog continues to show. The reason this became worth filing was the arrival of Metro mode; combined with other bugs like the invisible-domain issue, a persistent modeless could be used for phishing overlays that survived browsing sessions. Tested on Win8 RTM IE10 Metro and Desktop.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE10 Metro: Modal Window Domain Hidden by Solid Background] :: [IE10 Protected Mode Escape via XBAP File Handler] >