Fascinating.<p>Is it correct to say that extracting information about the text in a target iframe using this attack depends on knowing the pixel widths of all the characters in the font used in an arbitrary line of text in the target iframe?
Good thing I do not run Javascript, esp. when items are fetched from other domains:<p><a href="http://postimg.org/image/3m9v8eyrx/" rel="nofollow">http://postimg.org/image/3m9v8eyrx/</a><p>I wonder how many people are still naive, and just leave it JS on, no questions asked..