IE11 Sandbox Too Tight: Pop-up Inherits Sandbox Restrictions

This one was a logic issue rather than a crash. When a sandboxed iFrame with allow-popups opened a new window and the user then typed a different URL in that new window’s address bar, the new URL remained sandboxed — which it should not have been. User-initiated address-bar navigations are supposed to break the sandbox chain.

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>IE11_SandBox_too_tight</title>
</head>
<body>
<iframe sandbox="allow-popups" width="200" height="50" src="sandboxed.html"></iframe>
</body>
</html>

The sandboxed.html inside the frame contained a link to open a new window. After clicking that link and manually navigating the new window to any URL via the address bar, the new page was still treated as sandboxed. This appeared to be related to the prerender/prefetch feature introduced in IE11, which may have preserved the sandbox token across what should have been an unrestricted navigation.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [DoS: Loading an MP3 Inside a Sandboxed iFrame] :: [DoS: modelessDialog Redirect with Simultaneous Alert] >