Security researcher Jordi Chancel reported a method to spoof the
contents of the addressbar. This uses a persistent menu within a
<select>
element, which acts as a container for HTML content and can be
placed in an arbitrary location. When placed over the addressbar, this can mask the true
site URL, allowing for spoofing by a malicious site.