A challenge by Masato, FD and .mario

The XSS Metaphor

Is it real?
Can it be?
What is the meaning of life?
Can you execute alert(1) in this origin?
Is the vulnerable parameter called xss?
Does it matter?

In scope are recent Chrome, Edge and Firefox browsers.
There is more than one expected solution. One easy, one hard. Experts will find both. User interaction is not required.


  1. Gábor Molnár, who found both possible solutions (confirmed on 18th of April 2016, 2pm)
  2. A gentleman going by the name phiber, one of two solutions (confirmed on 20th of April 2016, 4pm)
  3. David Júlio, who found one of two solutions (confirmed on 21st of April 2016, 11am)
  4. Tamás Hegedűs with an incredible and complex unexpected solution, wow! (confirmed on 23rd of April, 9pm)
  5. Pepe Vila & aerøx, who found two solutions, one being unexpected! (confirmed on 25th of April 2016, 2pm)
  6. Michał Bentkowski with two solutions, one of them completely unexpected! (confirmed on 26th of April 2016, 10am)
  7. Simon Lindholm, with one expected and one unexpected solution :D (confirmed on 26th of April 2016, 10am)
  8. You?

Mail .mario or FD or Masato if you did it :)

Thanks, Raphaël for spotting a reporting a bug prior to publication of the challenge.