IE/Edge Worker Base Href and importScripts SOP Bypass

Both Microsoft IE and Edge allow the attacker to quickly bypass SOP restrictions on Workers either by setting a BASE HREF to the desired domain, or by doing a bold importScript(URL) from within the worker. Scripts and errors can be leaked (and other members abused) as shown below.


Same Origin Policy - https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy

JavaScript with ><script src="..."></script>

Error messages for syntax errors are only available for same-origin scripts





     

Note: if the ImportError version fails the first time, retry please.





Detailed Explanation of the bug: Workers SOP Bypass

Questions? Ping me on Twitter @magicmac2000

Special thanks to Gareth Heyes for helping me make this PoC clearer.