When a user touches a touch screen, webkit first fires touchstart-touchmove-touchend events, and then later, fires a click event. The click event is sent to the same coordinates in the document as the touch events, but as the touch events may alter the DOM, the click can easily be targetted to any element of an attackers choice (including for example a button in an iframe). This can be seen at http://jelzo.com/stuff/click-jack.html. When tapping on "Click me!", the click handler for "Not me!" fires; and when tapping on the plain text "follow me on twitter", the button in the iframe is triggered. * Gecko (tested with Firefox 14.01 on Android 4.0) does not exhibit this problem * Presto (tested with Opera Mobile 12.0.3 on Android 4.0) does not exhibit this problem when the target of the click is in an <iframe> (the follow me the best (though I haven't investigated why it acts that way); and Opera's is a reasonable compromise.on twitter example); but does when the target is just another link on the same page (the click me! example). * Webkit (tested in Chrome 18.0.1025123 on Android 4.0; dolphin browser hd 8.6.1 on Android 4.0; Dolphin Browser 5.2 on iPad 5.1.1; Safari on iPad 5.1.1) does exhibit this problem. On this example I think Firefox's behaviour is the best (though I haven't investigated why it acts that way); and Opera's is a reasonable compromise.