> This site is set so that there is a frame of https://www.bankone.com
> inside my https://slam.securescience.com/threats/mixed.html site. The
> imaginative part is that you may have to reverse the rolls to understand
> the impact of this (https://www.bankone.com with
> https://slam.securescience.com frame -> done via cross-user attacks
> trivially).

Let me get this right: here we have a page which appears to be from
domain A, but in fact it has frame(s) which display domain B. This
allows a page to have the content from domain B but the outward
appearance is of domain A, including the SSL lock on the page which
indicates "this page is safe" to the user.

It looks like this allows
one to spoof domain A quite successfully, unless I'm missing


