
Cross-site scripting enabled on 1000 major sites – including financial sites - ck2
https://thestack.com/security/2016/02/23/cross-site-scripting-enabled-on-1000-major-sites-including-financial-sites/
======
ck2
tl;dr

never use

    
    
           Access Control Allow Origin: * 
    

and never simply repeat the requesting origin back in the access control

both rules seems kind of obvious to me but apparently not to everyone

