The IE9 XSS filter used the HTTP Referer header to determine whether a reflected script came from the same page, and only blocked scripts that appeared to have been injected from outside. By injecting a named IFrame via XSS and then navigating through a redirect page, an attacker could make the victim page appear to be its own referrer, bypassing the filter entirely.

// 1. Inject a named iframe via an existing XSS on the target
// <iframe name="injectedIFrame"> (via reflected XSS)

// 2. Open the redirect page into the named iframe
window.open("redirect.html", "injectedIFrame");

// redirect.html:
// location = "http://victim.com/xss.php?payload=...";
// This makes victim.com the referrer of its own XSS request

Because the navigation originated from a location assignment inside redirect.html, the browser set the Referer header to the victim domain itself. The XSS filter saw a request where the referer and the target were the same origin, concluded the script was not injected from outside, and allowed it to execute.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.