See: http://www.domxssscanner.com/scan?url=http%3A%2F%2Fcdn.headwayapp.co%2Fwidget.js
meta security headers and security headers not being returned.

F-F-X-status: https://observatory.mozilla.org/analyze.html?host=cdn.headwayapp.co
and probably problems in combination with jQuery migrate and piwik.pro cloud code

polonus (volunteer website security analyst and website error-hunter)