I'm trying to do a PoC for a Cross Frame Scripting attack (https://www.owasp.org/index.php/Cross_Frame_Scripting) to show in my job how dangerous can be this attack for any version of IE browser. This attack can be easily prevent by using X-FRAME-OPTIONS: deny header on IE8 or newer versions. But it would be nice if every develop include such header on all web server responses. Using the code below I can see the alert window with the keycode but in case of forms on the target page I can not see the letter of the key pressed inside the form.

<script>
        window.onkeydown = function() {
                alert(window.event.keyCode);
        }
</script>
<frameset onload="this.focus()" onblur="this.focus()">
        <frame src="http://www.uol.com.br">
</frameset>

Using the simple code below I can press the key and see both (alert window and the letter inside the form).

<script>
        window.onkeydown = function() {
                alert(window.event.keyCode);
        }
</script>
<input>

Is there something missing on the first code block? Thanks!

There's probably nothing wrong with your code. Cross Frame Scripting is not a real vulnerability - it is only a vulnerability in old versions of Internet Explorer that contains a bug where the onkeypress event is triggered inside the parent frame, despite the domains not matching where this would usually be protected by the Same Origin Policy.

Other Cross Frame Scripting attacks are merely Cross Site Scripting attacks with a different name because they involve frames.