[honoredb]

Fun! Level 6 failed to load any widgets, evil or otherwise, in Chrome; I had to switch to Firefox and redo the whole test. For my external script I used http://pastebin.com/raw.php?i=15S5qZs0, although I don't think the lack of a .js extension there was the problem.

[fred_durst]

I hope this isn't a spoiler, but remember there are other ways to load resources without an external request. You can pass that stage without any requests to external servers.

[habosa]

Care to spoil how? I used an external server (Dropbox), but I'd love to know how to do it without.

[coderzach]

SpoilersrandomletterssdataurlSpoilermorerandemletters

[andrewjkerr]

I had to manually remove the https:// in front of the URL for it to work. The following error is:

[blocked] The page at 'xss-game' was loaded over HTTPS, but ran insecure content from 'script-url': this content should also be loaded over HTTPS.

[geoffroy]

got the same problem, it only works with a https address !

[ff_]

Nope. Works even if you use an address without http, but beginning with only "//"

[ufo]

In that example "//" is just another way to say "https://", though.

[hornetblack]

I had the same issue, I think it depends on browser configuration. Some browsers disallow http content on https pages.

[totallymike]

The regex is case sensitive. That's how I solved it.

[WickyNilliams]

haha so obvious yet I completely missed that! I went with a protocol-relative url [0]

[0] http://www.paulirish.com/2010/the-protocol-relative-url/

[dpacmittal]

Weird. It worked fine for me in chrome.