Reliable Escape
EDIT: Another thing that comes to mind is that if the user has lost Internet connectivity, which happens for all kinds of reasons including somebody disconnecting the cable, then there is no way you could navigate them to another site. They could be stuck there like a deer in headlights on the "incriminating" page. I think this adds credibility to the idea of actually navigating to a benign partner/affiliate site that in turn loads your site in an iframe directly on their page. All you have to do to make your site disappear is delete your iframe from the DOM using JavaScript that is already loaded into the iframe. It would work even if the Internet connection went dead.
I would enable the Escape key for a quick exit. That's a physical, well-known key on the keyboard that the user can lunge for if they need to, rather than moving a finicky mouse pointer to a virtual button and clicking.
EDIT: I just realized that an earlier poster did mention the Escape key, referring to it as "ESC." I searched the page for "Escape key" before writing my response, but missed that.
EDIT: I'd leave the Panic Button on the page, too, with the text "Click Here or PRESS ESCAPE to Exit Quickly." But I'd put one at the top and one at the bottom of the page. Maybe I'd put a strip all the way around the page. If the visitor clicks anywhere in that border zone your content disappears.
Also consider; to make the Panic Button reasonably easy to click in a panic situation, you'd probably need to make it a little bit oversized and make sure it's always on the screen by moving it as the page scrolls, or by putting multiple Panic Buttons on the page, which could be kind of suspicious-looking in and of itself. It seems as if these probably want to be pretty discrete-looking pages that you're talking about.
If you're using jQuery, you could do something like the following to respond to the Escape key:
jQuery( function ( $ ) {
$( document ).keyup( function ( e ) {
if ( e.which === 27 ) // escape
{
// clean up...
}
} );
} );
Single-Page AJAX App
It looks like all of the suggested solutions are about figuring out some way to quickly navigate to some other site, either by having it pre-loaded and quickly displaying it over the top of your site, or by clearing the DOM then navigating away, or whatever.
If I were going to take that approach, I'd have a laundry list of universally benign sites and search engine searches that I would cycle through so that it isn't the same "search for black women's shoes" showing up every time.
But what about turning the whole concept on its head? Use one or more benign decoy sites, or even solicit unrelated benign commercial sites to host a benign-looking link, and load your site as a single-page AJAX app in an iframe on top of the host page(s)?
EDIT: You could even do this by having your home page briefly state that it is going to redirect the visitor to a cooperative partner site for their own safety and show a big friendly "Go" button. If you have multiple partner sites you can push them to, so much the better. When they click, erase the browser history for your page, redirect to the affiliated site with a URL query parameter that tells your bootstrap JavaScript at the affiliate to immediately load your iframe. From that point forward, there is no additional load on the affiliate's web server. This way, you have an official Home page, but you immediately get the visitor completely off of your page.
Pressing the Escape key or clicking the Panic Button would just delete your iframe from the DOM, leaving the benign host page and no browser history. (Poof)
You could mitigate browser history issues that way since your link would run a bit of bootstrap JavaScript code and you would never actually navigate the browser to your site at all.
When the bootstrap link in the host page is clicked, it would insert an iframe into the DOM, float it (absolute positioning and z-order) to position it on top of the host page, then make an AJAX call to your web service to retrieve HTML content that it would load into the frame. All additional links and/or buttons in the frame would also make AJAX calls to your service, whether posting data to the server or retrieving data for display. You would never load an actual "page" in the user's browser at all.
Another nice aspect of this approach is that if the browser crashes or becomes unstable and has to be shut down from Task Manager, which would prevent the cleanup code from running, well that won't matter because you don't (necessarily) have anything to clean up.
Houston...?
A few serious problems I see with any of these solutions off the top of my head, particularly given the context that lives may be on the line:
cached objects (images, primarily) in the browser cache
the router/firewall might be logging HTTP/HTTPS requests, and the victim may not know this, and nothing you do to clean up the browser will mitigate that
there could be keylogging/screencap spyware installed on the user's machine and nothing you can do from a browser app will mitigate that
computers crash, web browsers get flakey and crash and traces get left behind because cleanup code can't run.
As suggested by at least one other poster (honestly, I've only briefly skimmed the other posts), using browsers in secure mode should mitigate many of these scenarios. But that is a user training issue and user training can be a little crazy under the best conditions. It could be real tough to get right if the victims aren't very tech-savvy, especially if they really are in a panic-mode situation where calm thinking might be difficult.
