In Windows 8 IE10 Metro mode, if the user had a solid color desktop background instead of a wallpaper image, the domain shown in modal and modeless dialog title bars became invisible. The dialog chrome blended into the background in a way that made origin attribution impossible regardless of where the dialog was positioned on screen.
function main() {
showModelessDialog("modeless.html", window, "dialogwidth=1040px");
}This is a straightforward UI spoofing issue: the text that identifies the origin of a modal dialog was rendered in a color that became invisible against a solid background. An attacker could open a full-width modeless dialog showing any content while the user had no way to tell which site spawned it. Combined with other techniques that could load about:blank in the modal, the origin label could be suppressed entirely. Tested on Win8 RTM IE10 Metro.
Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.