How long until a canvas is used to render the full chrome of a web browser (e.g. including the TLS padlock), showing a fake benign URL in the (fake) address bar while having the user interact with a malicious page?
Yes, but this "emergency" UI of the OS could be improved I think. (Also that functionality could have been build easily with normal DOM and JS, cancel and override all events, etc)