
Show HN: XSS on the new Minecraft.net website - _jomo
https://bugs.mojang.com/browse/WEB-268
======
_jomo
The issue was quite serious because it was possible to remotely log out a user
(via GET) and because the javascript executed when email/password were still
in the login form.

I also wonder how well known it is that 'window.location.href' accepts
'javascript:...' URIs which are then executed.

Why do browsers even allow this? Are there any legitimate use cases?

