Google的Michal Zalewski有一个理论上的例子(来源：Page 1,Page 2)：

A malicious page in domain A may create an IFRAME pointing to an application in domain B,to which the user is currently authenticated with cookies,” Zalewski said in a message to a mailing list on Thursday. “The top-level page may then cover portions of the IFRAME with other visual elements to seamlessly hide everything but a single UI button in domain B,such as ‘delete all items,’ ‘click to add Bob as a friend,’ etc. It may then provide [its] own,misleading UI that implies that the button serves a different purpose and is a part of site A,inviting the user to click it.