[None4U]

Perhaps HttpOnly wasn't as prevalent back then?

[matsemann]

Yup, no CORS either, all protections relied on having proper CSRF-tokens, but with JS access one could read that token as well.

My "hack" was mostly pretty harmless. Just did some layout changes to make my profile cooler. But the door was wide open for anything.