IE10: Rendering Almost Any File as HTML via pushState + Server Redirect + Reload

I found that using history.pushState to inject a redirect URL into the navigation history, followed by history.go(0) to reload, caused IE10 to render the redirect target using the previous page’s rendering mode and document mode rather than the actual content type of the loaded file. This meant that uploading a file with a non-HTML extension (like .swf) and redirecting to it could cause the browser to treat it as HTML and execute any embedded script.

// We first push the URL that we want to render as HTML.
history.pushState("","","redir.aspx?URL=somefile.swf");

// And reload the page.
history.go(0); // This will render the file as HTML instead of swf.

The real issue was in how the browser handled reloads: it preserved the prior rendering context and document mode instead of re-evaluating the content type of the newly loaded resource. Image files happened to render correctly after redirect, but most other file types were affected. The bug could also be reproduced without pushState by having the server return different content on a reload request.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [EoP: Flash innerHTML Random Crash is PROBABLY_EXPLOITABLE] :: [IE10: Referrer Spoofing via history.replaceState + Server Redirect + Reload] >