Find a way to steal document.cookie w/o user interaction

vulnerable param: GET[xss]

I uploaded a new beta version - might be quirky here and there. While I think the point the challenge tried to make was made, it showed that the current and very experimental (as well as badly coded) level of protection is working a bit - and that best on Firefox 9. I will dedicate time to the writeup on the bypasses soon. Special thanks goes to Roman, who not only submitted by far the most bypasses - but also provided insight on how to fix them best. Turns out more people do research on this particular and rather hopeless (j/k :)) field of DOM security than I initially thought! Thanks to all participants so far - I was blown away by the quality of your submissions!

Permitted browsers: IE9+. Any reading cookie access counts as stealing, alerting, writing, out-bound channeling... surprise me. UI redressing is valid as well - until no user interaction is required. Just make sure you can get hands on the cookie value you can see in the page sources. The button below allows access to document.cookie in a legitimate way. It's alright if you misuse it...

What's the point if this challenge? Simply to prove whether it's possible or not to protect important values from an attacker - even if the server is not capable of delivering protection and proper escaping. In other words - include a JavaScript like this and you have a client side XSS protection, no matter how messy the server config is. A different take on this was shown with XSSme¹ - a snippet to protect from attribute injections with plain JavaScript.
Did it? Mail me :)

Meahwhile ordered List of Glory (bypass : fix)

I messed up? Wrong score? Forgot sth? Ping me - will correct immediately! 
    

  1. @shafigullin    10+: 10  XSSme²
    2. 

  2. @KinugawaMasato  9 : 9  XSSme² 
    3. 

  3. @TheWildcat      8 : 8  XSSme² 
    4. 

  4. @theharmonyguy   6 : 6  XSSme²
    5. 

  5. @KKotowicz       5 : 5  XSSme² ← the most evil bypass. But solved! 
    6. 

  6. @masa141421356   4 : 4  XSSme² ← another sophisticated Event spoof!
    7. 

  7. @garethheyes     4 : 4  XSSme² 
    8. 

  8. @arcanis         3 : 3  XSSme² 
    9. 

  9. @irsdl           2 : 2  XSSme² 
    10. 

  10. @WisecWisec      2 : 2  XSSme² 
    11. 

  11. @mattaustin      1 : 1  XSSme² 
    12. 

  12. @nahsra          1 : 1  XSSme² 
    13. 

  13. @ax330d          1 : 1  XSSme² 
    14. 

    

  14. Contestants    53 : 53 XSSme²
    15. 

    

  15. @superevr       1 : 0 XSSme² (I cannot fix it :D Very awesome idea! Slightly outside the scope though)
    16. 

  16. @KinugawaMasato 1 : 0 XSSme² (I cannot fix it as well :D Similar idea - very creative!)
    17.