typeof Checks Cross-Origin Variable Existence via 'unknown' Return Value

A companion to the ACCESS_DENIED exception method: in IE, typeof applied to a cross-origin iFrame property returns "unknown" when the property exists (because the engine recognizes it but can’t expose it), and "undefined" when the property doesn’t exist at all. This distinction leaks variable presence across origins without requiring an exception to be thrown or caught.

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>typeof_checks_existance_of_xDom_members</title>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" />
</head>
<body>
<iframe src="http://www.bing.com/" name="iFrame" width="700" height="150"></iframe>

<script>
function main()
{
	var VARIABLE_EXISTS = true;
	
	if (typeof iFrame[document.all.varName.value] == "undefined") VARIABLE_EXISTS = false;
	
	alert("Variable " + document.all.varName.value + (VARIABLE_EXISTS ? " DOES " : " DOES NOT ") + "exist!");
}
</script>
</body>
</html>

The "unknown" type is an IE-specific quirk: when a property is known to exist on a COM-based object but cannot be safely returned, IE’s typeof operator surfaces "unknown" rather than throwing. For cross-origin windows, this becomes a reliable oracle — "unknown" means the property is there, "undefined" means it isn’t.

Both this approach and the exception-based variant from the previous entry share the same root issue: IE’s same-origin enforcement treated access differently depending on whether a property existed, inadvertently exposing that existence as a side channel.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.