Posted by Justin Steven on Feb 08

the targeted site as well as the attacking site?

No, this is entirely an IE flaw. I’ve repro’d on domains that I know don’t
use cloudflare, from a domain that doesn’t use cloudflare.

There’s a great teardown on this POC by @filedescriptor at
http://innerht.ml/blog/ie-uxss.html