Posted by David Leo on Feb 08

“is this entirely an IE flaw”
Yes.

“is it tied to the use of Cloudflare”
No.

“I tried to reproduce… was unsuccessful”
Likely, this detail is missing:
<?php
sleep(2);
header(“Location: http://www.dailymail.co.uk/robots.txt&quot;);
?>
Please tell us whether you reproduce(with the PHP code).

“am I correct… JavaScript hosted on shared domains”
In the demo, it’s first injected into page…