> Actually there is a mistake in the injected code that causes the result of the XHR request to be interpreted as JavaScript, and then executed
That's not a mistake. GitHub, like 99.99% of the Internet, doesn't allow cross-origin XHR for their pages (that's a security vulnerability). So they have to use <script> which doesn't follow the Same Origin Policy.
Though that's a bit silly, given they could've also used <img> which wouldn't be vulnerable to XSS.
That's not a mistake. GitHub, like 99.99% of the Internet, doesn't allow cross-origin XHR for their pages (that's a security vulnerability). So they have to use <script> which doesn't follow the Same Origin Policy.
Though that's a bit silly, given they could've also used <img> which wouldn't be vulnerable to XSS.