IE10 Metro: Loading mhtml from Sandboxed iframe Breaks Out to Top Window Without Showing Address Bar

I found that in IE10 Metro, navigating a fully sandboxed iframe to an MHTML file caused the MHTML content to open in the top window rather than stay contained in the iframe. This bypassed the sandbox entirely and also suppressed the address bar notification — the user had no indication that the top-level URL had changed. The fix was to either disallow MHTML rendering or treat MHTML as plain HTML.

<!-- index.html -->
<iframe sandbox src="sandboxed.html" width="500" height="50"></iframe>

<!-- sandboxed.html (inside the sandbox) -->
I am sandboxed.html, <a href="sandboxbreaker.mht">click here</a> to load the mhtml and break out.

When the sandboxed iframe navigated to sandboxbreaker.mht, the MHTML file was loaded in the top window rather than inside the iframe, silently replacing the top-level document with unsandboxed content and without showing the Metro address bar. This worked only on the Metro version of IE10 — the desktop version was not affected.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE10 Metro: Back Gesture Can Be Spoofed with Oversized Scrollable Div and iframe] :: [IE10 UXSS: pushState + Redirect + history.back() Retains Cross-Origin DOM Access] >