Outer attacker page on :8765, iframes victim form on :8766 (cross-origin). The iframe self-reports state to parent via postMessage so we can observe fills despite SOP.