Posted by Gynvael Coldwind on Nov 28

Hi Francisco,

Unfortunately your disclosure is factually wrong.

Please note that even the packet you are citing says “Host:
translate.googleusercontent.com” – this is not the same domain as
translate.google.es (or translate.google.com), therefore, due to the
JavaScript same-origin policy (
https://developer.mozilla.org/en-US/docs/Web/Security/Same-origin_policy)
it’s a different origin. Which means that scripts executed from…