Stealing CSVs Cross-domain

Back in 2008, Chris Evans found it was possible to steal data cross-domain in Firefox using script includes. We can still read his report at http://scary.beasts.org/security/CESA-2008-011.html In his own words: The modern web model permits remote domain <script> inclusion with no restrictions.…