@w @cassidyclown @r Yes, taking alarmist approach is indeed counter-productive. Appropriate mitigations can be implemented with high-level knowledge of the scope of vulnerability and by refusing to indicate that, you try to become bigger disruption then the underlying vulnerability might be. Essentially you're elevating what might be a trivial XSS issue, easily mitigated by appropriate security policy, to the full denial of service.