URL-redirect vuln == XSS ! Location:data:text/html, и new XMLHttpRequest().open("GET", "data:text/html,", false); #firefox #datauri