Numerous Sites Explicitly Open To Cross Site Scripting

A survey of top websites has revealed many including unnamed Bitcoin holding websites have a header set which explicitly allows third party javascript to be run on their pages without any checks on the code's origin (archived). Web stack security is exactly as bad as you thought it was. Unless you didn't think it was this bad, in which case it is far worse than you think. Of course, Coinbase would never be the same if they removed their Gravatar integration.

One thought on “Numerous Sites Explicitly Open To Cross Site Scripting

Leave a Reply to Mircea Popescu Cancel reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>