Victim App.
Launch http://csrf.jp/bc/receiver.html as an iframe.