|
|
|
|
|
|
by TazeTSchnitzel
4098 days ago
|
|
|
> Actually there is a mistake in the injected code that causes the result of the XHR request to be interpreted as JavaScript, and then executed That's not a mistake. GitHub, like 99.99% of the Internet, doesn't allow cross-origin XHR for their pages (that's a security vulnerability). So they have to use <script> which doesn't follow the Same Origin Policy. Though that's a bit silly, given they could've also used <img> which wouldn't be vulnerable to XSS. |
|
|