IE10: Referrer Spoofing via history.replaceState + Server Redirect + Reload

I found that using history.replaceState to point the current history entry at a redirect URL, then calling location.reload(), caused IE10 to load the redirect target while preserving the original referrer from before the replaceState call. An iframe’s referrer should always be the URL of the page that caused its navigation — but this technique allowed changing the loaded URL without changing the referrer, enabling XSS filter bypass.

// Inside an iframe:
history.replaceState("","","redir.aspx?URL=url_02.html"); // Set the URL that you want to load.
location.reload(); // And reload the page.

The reload loaded the redirect target while the document.referrer seen by the destination page remained unchanged. This was related to several previously filed issues including an XSS filter bypass via history.back() (MSRC #11348) and an iframe source confusion bug. The same technique was also achievable by navigating to a page that called history.back() instead of reloading.

Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.

Read other posts

< [IE10: Rendering Almost Any File as HTML via pushState + Server Redirect + Reload] :: [IE10 DoS: Script Element Appended to createHTMLDocument Crashes Browser] >