Here's a little taste of their nastiness:
<iframe src="http://fls.doubleclick.net/activityi;src=2299144;type=e-cus110;cat=e-cus876;u=123;ord=1;num=1?"
width="1" height="1" frameborder="0"></iframe>
Here are a few screenshots to demonstrate the issue. I discovered this little gift after installing the RequestPolicy addon.
Business Customer Site:
Normal Customer Site:
Here is the snippet from the HTTP response for /MyAccounts.aspx. As you see in the comments section, they new exactly what they were doing. Copy of the code below the image:
<!-- Start of DoubleClick Spotlight Tag: Please do not remove-->
<script language="JavaScript">
document.domain = getDocumentDomain();
function getDocumentDomain()
{
try
{
var d = document.domain;
if(d.indexOf(".") > -1)
{
var end = d.substring(d.lastIndexOf("."), d.length);
d = d.substring(0, d.lastIndexOf("."));
d = d.substring(d.lastIndexOf(".") + 1, d.length);
d = d + end;
}
return d;
}
catch(e)
{
return null;
}
}
function openWamuSSOWindow(aUrl)
{
var scLeft = window.screenLeft;
var scTop = window.screenTop + 30;
var newWin=window.open(aUrl, "WAMUSSOMortgage", "height=389,width=758,left=" + scLeft + ",top=" + scTop + ",screenX=0,screenY=0,location=yes,menubar=yes,resizable=yes,scrollbars=yes,status=yes,toolbar=yes");
var agt=navigator.userAgent.toLowerCase();
if(!(agt.indexOf("msie")!=-1 && (parseInt(agt.substr(agt.indexOf("msie")+5,1))==4))){
newWin.focus();
}
}
var _linkTrackingVersion = 2;
</script>
<noscript>
<iframe src="http://fls.doubleclick.net/activityi;src=2299144;type=e-cus110;cat=e-cus876;u=123;ord=1;num=1?"
width="1" height="1" frameborder="0"></iframe>
</noscript>
<!-- End of DoubleClick Spotlight Tag: Please do not remove-->
-Michael Coates