The 2 hour product was doomed, but I've rewritten it enough to be secure.

This was partly an instinctive decision, but I think it's too easy to go mobile. Part of the reasoning for having a tangible card is the novelty and the failproof factor behind it.

No advantage, but no disadvantage either.

Thanks for the kind words. Pittsburgh's tech scene looks pretty awesome.

Align the columns and use 3 colours instead of 5 which don't go together.

That's rather my point. I don't think they have done 'flat' right. Plus, what exactly is Apple-esque about the flat design in iOS7?

Correct. No browsers execute onclick when you open under new tab.

I've updated the pledge - I'm now asking major browsers to warn users if a link is changed to another domain from what it originally was.

Heck, if you're going to do that.. you don't even need JavaScript.

<meta http-equiv="refresh" content="0; url=http://malware.com />

Maybe there's a side to it that I'm not aware, but as far as I know, it's become very difficult to run exploitable JS in an iframe.

cjc1083's proposed attack vector is an interstitial page which drops a Java/Flash 0-day on you and forwards you to your original target site, leaving you compromised and none the wiser. My point is that if you can even do the redirect in the first place, it's much simpler to just iframe in the attack page and do the drop directly rather than waiting on user input to do it in a manner that they might notice.