Spoofing the Info Bar Pop-up Origin via base href

A simpler variant of the pop-up origin spoof: placing a <base href> pointing to a trusted domain and then calling window.open() caused the IE info bar to display that trusted domain as the source of the blocked pop-up.

<base href="http://www.facebook.com">

<script language="JavaScript">
function blockMe()
{
	window.open();
}
</script>

IE resolved the pop-up origin relative to the document’s base href rather than its actual URL. So a page on evil.com with <base href="http://www.facebook.com"> would produce an info bar reading “IE blocked a pop-up from facebook.com”. The technique was different from the WebBrowser Navigate variant (entry 48) but produced the same visual result: a convincing attribution to a trusted site.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [DoS: execCommand EditMode from HTC Behavior File] :: [UXSS: New Window javascript: URI Executes in base href Origin] >