iframe security=restricted Bypass via New Window opener.setTimeout

The security="restricted" attribute on an iframe is meant to prevent script execution inside it. But if a link inside the restricted frame opens a new window, and that new window calls opener.setTimeout() with a string of code, the code executes in the restricted frame’s context — bypassing the restriction entirely.

<!-- parent page -->
<iframe security="restricted" src="restricted.html"></iframe>

<!-- restricted.html -->
<a href="restricted_breaker.html">Break me out!</a>

<!-- restricted_breaker.html (new window) -->
<script>
opener.setTimeout('alert("Code executed in the restricted iFrame")');
</script>

The opener reference pointed back to the restricted iframe’s window, and setTimeout accepted a string that was evaluated as script in that context. Beyond setTimeout, other properties like Function, document, and the window object itself could similarly be used to execute code in the restricted frame. The restriction was more of a suggestion than an enforcement boundary.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE10 DoS: Setting designMode in an HTC Behavior Crashes Browser] :: [IE8 EoP: Framed Cross-Domain Flash GetURL Triggers Exploitable Crash on Reload] >