See 1 vuln. library detected: http://retire.insecurity.today/#!/scan/2d65de0a3a2f3b59450273840218f6f06884ef1d71c59da488f0a4e6666d11c0

Vuln.: Javascript response could get executed from 3rd party origins, also because of the following same origin insecurity we found. But then we have to switch it off for same origin either, because using subtle redirect_to saving tricks we can redirect user to local JSONP endpoint and still get an XSS but those are much more sophisticated vectors. Half of the time also dataType setting generally is notbeing used ::). Info credits go to: Homakov.

Consider here: 14 issues and F-status: https://sritest.io/#report/138423c8-64fc-4a49-9b21-62dcbcb92457

DOM XSS vuln. http://www.domxssscanner.com/scan?url=https%3A%2F%2Fstevenbrownsblog.wordpress.com
link in code to wXw.gmpg.org with many, many dead links.

Server for 192.0.78.12 & 192.229.163.25 & 93.184.216.172 without Reverse DNS (Edgecast CDN might come blocked in Mainland China). Given as Google Safe. Go Daddy cert. Go Daddy Secure Certificate Authority G2.

D-status and recommendations: https://observatory.mozilla.org/analyze.html?host=stevenbrownsblog.wordpress.com
E-status: https://securityheaders.io/?followRedirects=on&hide=on&q=stevenbrownsblog.wordpress.com
3 errors for sub-domain: https://hstspreload.org/?domain=stevenbrownsblog.wordpress.com

Seems when we start testing websites we will see insecurity everywhere online, just like with Swiss Cheese holed, it is a sorry situation it really is,only that website developers would pay a bit more attention to coding with security in mind. But it seems we are preaching for the choir and not even that, all falls on deaf ears, it seems to me. (Damian aka pol).

polonus (volunteer website security analyst and website error-hunter)