Apparently people do actually copy the javascript and paste it into the URL bar, effectively getting past cross-domain xhr restrictions.
This looks like another interesting case of "why johnny can't notice security risks". How does one mitigate something like this other than expecting users to be knowledgeable?
http://www.facebook.com/pages/Osama-is-Dead-Watch-the-Video/...
Apparently people do actually copy the javascript and paste it into the URL bar, effectively getting past cross-domain xhr restrictions.
This looks like another interesting case of "why johnny can't notice security risks". How does one mitigate something like this other than expecting users to be knowledgeable?