From Scriptless Attacks – Stealing the Pie Without Touching the Sill (2012 paper): Download: hxxp://hgi.ruhr-uni-bochum.de/media/emma/veroeffentlichungen/2012/08/16/scriptlessAttacks-ccs2012.pdf .
Closing a tab isn't necessarily sufficient though. Sometimes logging out isn't sufficient either. Do we need to logout of webapps?