UXSS: Meta-Refresh to about:blank Inherits Parent Domain Instead of iframe Domain

I found that when an iframe used a <meta http-equiv="refresh"> tag to navigate itself to about:blank, the resulting about:blank inherited the domain of the parent page rather than the iframe’s own origin — the opposite of the correct behavior. This was exploitable in any Trident-based host that did not subscribe to the fix (such as Maxthon or Chrome’s IE Tab extension), because those hosts also allowed about:<script> as a navigable URL, letting the script execute in the hijacked domain context. IE itself subscribed to a fix that blocked this, but third-party Trident hosts did not.

<!-- metablank.html (loaded into an iframe of the cross-origin page) -->
<meta http-equiv="refresh" content="0;url=about:<script>alert(parent.document.URL + '\n' + parent.document.body.innerText)</script>">

// On the attacker page, navigate a sub-iframe of the target cross-origin page:
window[0][0].location.href = "metablank.html";

When the cross-origin page’s inner iframe was pointed at metablank.html, the meta-refresh to about:<script> executed in the parent page’s domain context instead of the iframe’s own origin. The script inside the about: URL was able to read parent.document.URL and parent.document.body.innerText of the cross-origin page.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE10 Metro: Page Reload with Server Redirect Does Not Show Address Bar] :: [IE10 Metro: Back Gesture Can Be Spoofed with Oversized Scrollable Div and iframe] >