Evil Page Demo
Step 1. Exploit a Chrome bug and take over renderer process.
Step 2. Reach into user's account in iframe.
Step 3. Profit!
<iframe src='https://chromium-build.appspot.com/p/chromium/console'>
XHR example.com
XHR tests.netsekure.org