Properties are accessible in a sandboxed iframe

This vector attempts to see which properties are available on the parent window of a sandboxed iframe.

Created by: hackvertor

Created on: Friday, June 7, 2024 at 7:41:00 PM

Updated on: Wednesday, December 10, 2025 at 9:40:19 PM

Category: Browser Quirks

Vector visibility: Public

Vector type: JS

Vector charset: UTF-8

Code used before fuzz:

const props = Object.getOwnPropertyNames(window);0x0D
for(const prop in document){0x0D
  try{0x0D
       props.push("document."+prop);0x0D
  } catch{}0x0D
}0x0D
props.forEach(prop => {0x0D
    try {0x0D
         if(typeof parent[prop] !== 'undefined') {0x0D
             log("parent."+prop);0x0D
          }0x0D
    } catch{}0x0D
})

Template used:

Your browser was detected as:

Detecting... Detecting... Detecting... Detecting...

Sample payloads

Fuzz results

Firefox 146.0 desktop macOS 10.15

Updated

Wed Dec 10 2025

Found 13 results

Show differences only?

Filter out alphanumeric

Sort ascending

Safari 26.1 desktop macOS 10.15.7

Updated

Wed Dec 10 2025

Found 13 results

Show differences only?

Filter out alphanumeric

Sort ascending

Chrome 144.0.0.0 desktop macOS 10.15.7

Updated

Fri Jan 23 2026

Found 13 results

Show differences only?

Filter out alphanumeric

Sort ascending

Properties are accessible in a sandboxed iframe

Sample payloads

Fuzz results

Distributed Fuzzing