Somehow, hovering over a Google+ plus-one widget can introduce a tooltip-type deal that is clearly larger than the
Another thing, why is Google using an
iframe? Why not just generate a
div on the page? Well because the link originates from the
iframe, a CSRF (cross-site request forgery) token can be embedded in the request and the parent site cannot read this token and forge the request. So the
iframe is an anti-CSRF measure that relies upon the Origin Inheritance rules to protect itself from a malicious parent.
From an attack perspective this is more like XSS (cross-site scripting) than UI-Redress. You are giving Google access to your website and they could hijack your users' cookie's or perform
XmlHttpRequests against your website if they so choose (but then people would sue them for being malicious and wealthy).
In this situation you HAVE to trust Google, but Google doesn't trust you.