Show Demo(designed for Internet
Explorer and Opera only)
How it works
Attacker creates an iframe tag pointing to a victim
site, setting Microsoft's security=restricted property on the
iframe tag.
Internet Explorer will not allow the JavaScript frame-busting
code inside the iframe to execute, because the frame is now in the
"Restricted Zone."
If the iframe location is on the same domain, the attacker
can use JavaScript to manipulate its document.
It is possible to use JavaScript inside the restricted iframe,
by attaching event handlers from the outside (unrestricted)
window. This allows the outer window to get around the restriction
that hyperlinks in a restricted iframe are supposed to
open in a new window.
The browser's back and forward buttons can still
be used to navigate the restricted frame.
Mitigating Factors
Doesn't work in Mozilla browsers.
Due to the same-origin restriction on JavaScript,
data in the restricted iframe is not visible to the attacker if
its location is on a different domain.
If attackers can launch a Cross-Site Scripting (XSS) attack
on a site, they could get approximately the same effect through alternative
routes, for example using XMLHttpRequests and manipulating the
DOM.