This is a "pseudo" UXSS because it requires cooperation from the target page — the cross-origin document has to run top.opener = document. Once it does, the parent page can access that document...

After some persistence I found a way to open an unrestricted pop-up window on both IE6 and IE7 using the htmlFile ActiveX object. The trick is to store the ActiveX reference outside an IFRAME, kill...

This technique keeps a script alive even after the user navigates away from the page — like a "terminate and stay resident" program from the DOS era. By creating an htmlFile ActiveX object, writing a...

This variation doesn't use the mhtml: protocol at all. Instead, it relies on the <BASE HREF> tag pointing to a server-side redirect. A createPopup() that reloads itself inherits the redirected...

The WebBrowser Control ActiveX (the same engine that powers IE) exposes a Navigate method that opens URLs without going through the pop-up blocker. Embedding a tiny, invisible instance of the control...

I was playing around with the WebBrowser-family ActiveX controls and noticed that one of them exposed a DOM.Script.open() method that bypassed the pop-up blocker entirely. The control essentially...

I was lucky to find this one. The technique exploits how IE handles the mhtml: protocol combined with a server-side redirect to strip the Same Origin Policy boundary entirely. By loading a page via...

This one is not mine — a coworker found it when IE 5.5 shipped. I included it in a report to MSRC because it was still working on IE 6 and, at the time, IE7 as well. Two lines.

When SP2 shipped, Microsoft added size restrictions to createPopup() — the popup window could no longer extend beyond the browser's own boundaries. It was a reasonable fix for a technique that was...

I named this one "Lazarus Resurrection" because the script dies and comes back to life. The idea was to keep a piece of JavaScript running even after the user has navigated away from the page — the...

The finding was simple to describe: load any site cross-domain, then read its DOM. No user interaction required beyond visiting the page. It affected IE 5.5, 6.x, and IE7.