This page is hosted by the attacker. Clicking the buttons below will trigger the loading of an error page in the iframe. The error page has an XSS vulnerability allowing the attacker to execute code within the application context.
The button on the left tries to steal data from localStorage, but there is no data available. The button on the right loads the storage container in the error page. As a result, the attacker can perform operations, but cannot access the secret directly.
This scenario illustrates a common attack to steal data from the browser. For more context, please refer to the security cheat sheet on Secure data storage in the browser