Properties that leak the parent URL even when sandboxed

This vector shows all the properties in window and document that contain a URL that leaks the parent URL even when sandboxed.

Created byhackvertor

Created Jun 6, 2024

Updated Dec 10, 2025

Detecting browser...

CategoryBrowser Quirks

VisibilityPublic

TypeJS

CharsetUTF-8

Code used before fuzz:

const regex = /^(?:https?):\/\/shazzer[.]co[.]uk/;0x0D
Object.getOwnPropertyNames(window).forEach(prop => {0x0D
   try{0x0D
      regex.test(window[prop]+'')&&log('window.'+prop)0x0D
   }catch{}0x0D
});0x0D
for(const prop in document){0x0D
  try{0x0D
       regex.test(document[prop]+'')&&log('document.'+prop);0x0D
  } catch{}0x0D
}