Echo JS 0.11.0

Now imagine someone malicious drawing a pixel perfect Chrome browser that someone thinks is a normal browser, browses to their "bank" site, and enters credentials. Oops. I'm not even sure how you could protect against an attack like that..

I have bad news for you. Phishing attacks do not even need a fake browser UI. Even if XFS attacks are almost all fixed today, you don't need an iframe: there are fake versions of thousands of websites out there, and some tools can automate this faking process while adapting to user language, OS, etc.